SoftWLC is supposed to be already configured for connecting AP OTT and working with BRAS (all the required services and tariffs are configured, interaction is provided), so their configuration is not given there.
To establish a GRE over IPsec tunnel, the same ESR as used for AP OTT tunnel establishment is applied. Additional setting is not required.
Connection scheme would provide clients with Internet access locally on the ESR-10 connection. Only a GRE over IPsec tunnel will be established to the root. This tunnel will be used for ESR-10 management and client redirection to the authorization portal.
To work with "OTT individual configuration" for ESR-10, the service "Jerry" should be installed. See more in Jerry.
1) only the port gi1/0/1 ESR10 is used for Internet connection;
2) an address is assigned via DHCP. It should contain a default gateway and a DNS server
3) traffic that goes through ESR10 connection point to the Internet should be untagged.
ESR-10 BRAS works at L3, which implies that clients will allways have a separate subnetwork with ESR-10 serving as a default gateway. Then client traffic can go to the Internet from ESR-10 primary address via NAT or via routing. In the second case, NAT provides a client's router with Internet access.
1. ESR-10 connects to the Internet via a client's router. Access points are connected to ESR-10 via a switch using a separate VLAN for SSID that terminates via a sub-interface on ESR-10 uplink and to which clients connect to. ESR-10 provides clients with Internet access using NAT.
2. ESR-10 is connected to a router that provides a client with Internet and is located at a client's network. Access points are connected directly to ESR-10 via a special port. If there are no available ports, a switch can be used. NAT is configured on ESR-10 to connect subscribers to the Internet via its uplink.
Two ways of ESR-10 connection in the OTT mode are possible:
1) prior connection of ESR-10 and its initialization to a certain default domain by a default rule - in this case ESR-10 will be seen in the default domain, but it will not be used for the Internet access until it is put into the required client domain where a custom configuration agreed with a client will be assigned to it.
2) coordination with a client, creating an initialization rule link (with OTT custom configuration specified) by MAC address of ESR-10 that will be installed at a client's, adding all necessary settings to SoftWLC (L2 subnetworks, creating tariffs if needed). In this case, ESR-20 will get a required configuration right after its installation and will be ready to work.
OTT mode is not enabled on ESR-10 in the supply, so the device can be used as a standard router. If router configuration was changed - reset it to factory-config. Router with factory configuration will require to enter a password (enter "password"; when configuration from the Service Activator will be received, the password will be changed):
esr-10(change-expired-password)# password password
esr-10(change-expired-password)# comm
Configuration has been successfully applied and saved to flash. Commit timer started, changes will be reverted in 600 seconds.
2019-02-07T12:15:53+00:00 %CLI-I-CRIT: user admin from console input: commit
esr-10(change-expired-password)# confirm
Configuration has been confirmed. Commit timer canceled.
2019-02-07T12:15:57+00:00 %CLI-I-CRIT: user admin from console input: confirm
esr-10#
To activate the mode, open debug and provide a link to the Service Activator:
esr-10# debug
esr-10(debug)# service-activator url https://sa.example.org:8043
After enabling the mode and receiving/updating the address via DHCP, the Service Activator client will be started and try to connect to the address specified in url.
To disable OTT, delete a line with the Service Activator URL using the command:
esr-10(debug)# no service-activator url
esr-10(debug)# show service-activator url
esr-10(debug)#
To change a link to access the Service Activator, provide a new one and restart ESR-10.
Add a current firmware to the directory /var/lib/eltex-wifi-sa/firmware/
root@softwlc-ott:/tftpboot# mv -v /tftpboot/esr1x-1.6.0-build3.firmware /var/lib/eltex-wifi-sa/firmware/
‘/tftpboot/esr1x-1.6.0-build3.firmware’ -> ‘ /var/lib/eltex-wifi-sa/firmware/esr1x-1.6.0-build3.firmware’
removed ‘/tftpboot/esr1x-1.6.0-build3.firmware’
Edit the file /etc/eltex-wifi-sa/factory-fw.conf by adding a definition for ESR-10 to it:
"ESR-10" {
min = 1.6.0.3
file = esr1x-1.6.0-build3.firmware
}
Restart the service:
root@softwlc-ott:/tftpboot# service eltex-wifi-sa restart
eltex-wifi-sa stop/waiting
eltex-wifi-sa start/running, process 29739
In OTT mode, ESR-10 uses suboption 15 of option 43 via which an address for GRE keepalived is sent. If an address with this option is received, an OTT connection is established successfully. In addition, a default route for management address will not be received that requires generation of a route to SoftWLC management core using option 121.
A default gateway's address for the management subnetwork (172.16.27.1 in the example given) will serve as an address, accessibility of which will be checked by GRE keepalive:
0F:0B:31:37:32:2e:31:36:2e:32:37:2e:31
In the OTT mode, ESR-10 will be connected to the same routers as access points do for GRE over IPsec termination. Therefore, during configuration of option 43, suboption 15 will be added to already existing option 10 via which an address of the SNMP server for access points is generated:
subnet 172.16.27.0 netmask 255.255.255.0 {
pool {
option routers 172.16.27.1;
range 172.16.27.2 172.16.27.254;
option vendor-encapsulated-options 0A:0E:31:39:32:2e:31:36:38:2e:34:32:2e:31:37:38:0f:0b:31:37:32:2e:31:36:2e:32:37:2e:31;
option ms-classless-static-routes 24, 192,168,42, 172,16,27,1;
option rfc3442-classless-static-routes 24, 192,168,42, 172,16,27,1;
option ntp-servers 192.168.42.178;
allow members of "ELTEX-DEVICES";
}
}
Do not forget to define ESR-10 in a rule allowing access only to devices of special types, if such a rule is used. In the example above, it is allow members of "ELTEX-DEVICES";
For the successful connection and initialization under a default rule, create a default configuration for ESR in the section "OTT custom config", create an initialization rule and specify ESR-10 in default link configuration.
1. Open the menu "Wireless" → "AP initialization rules manager", select the tab "OTT custom config" and click "Add".
2. In the opened window, select "Domain", enter the name "default" (any name can be entered, this one just means that the rule will be used in default initialization link). "Device type" will already be selected (ESR-10). Click "Accept".
3. Add the default configuration and click "Accept".
ESR-10 default configuration:
ESR-10 default configuration:
hostname ESR10-OTT-default
object-group network SoftWLC
ip address-range 192.168.42.178
exit
line console
aaa disable
exit
security zone trusted
exit
security zone untrusted
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 192.168.42.178
source-interface bridge 1
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
security-zone trusted
ip address dhcp
ip dhcp client ignore dns-nameserver
ip dhcp client ignore router
enable
exit
interface gigabitethernet 1/0/1
description "UPLink"
ip address dhcp
security-zone untrusted
exit
interface gigabitethernet 1/0/2
shutdown
exit
interface gigabitethernet 1/0/3
shutdown
exit
interface gigabitethernet 1/0/4
shutdown
exit
interface gigabitethernet 1/0/5
shutdown
exit
interface gigabitethernet 1/0/6
shutdown
exit
interface loopback 1
exit
tunnel gre 1
keepalive dhcp dependent-interface bridge 1
keepalive dhcp dependent-interface gi1/0/1
mode ethernet
local address xauth ipsec_vpn
remote address xauth ipsec_vpn management-ip
enable
exit
tunnel gre 1.1
bridge-group 1
snmp init-trap
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address SoftWLC
enable
exit
exit
access profile acc_p
exit
security ike proposal ike_prop
exit
security ike policy ike_pol
authentication method xauth-psk-key
authentication mode client
proposal ike_prop
exit
security ike gateway ike_gw
ike-policy ike_pol
assign-interface loopback 1
local interface gigabitethernet 1/0/1
remote network dynamic client
mode policy-based
dead-peer-detection action restart
dead-peer-detection interval 10
exit
security ipsec proposal ipsec_prop
exit
security ipsec policy ipsec_pol
proposal ipsec_prop
exit
security ipsec vpn ipsec_vpn
mode ike
ike establish-tunnel immediate
ike gateway ike_gw
ike ipsec-policy ipsec_pol
enable
exit
ip ssh server
4. Open the menu "AP initialization rules manager", select the tab "Rules" and click "Add":
5. In the opened window:
Select:
1) "Device type" - "ESR-10";
2) "Rule name" - "default OTT" (it is assumed that default OTT link was configured before to connect AP OTT using the same name);
3) "Add AP to RADIUS" - enable this checkbox;
4) "Secret" - "testing123";
5) "Firmware update protocol" - select "FTP";
6) "SNMP transport" - "UDP";
7) "SNMP Community (read only)" - "public11" (minimum community length on ESR is 8 characters);
8) "SNMP Community (read/write)" - "private1";
9) ESR mode - "StationCE" (a new parameter has been added, which means the device interacts with PCRF, and tunnel establishment is not required);
10) "BRAS service" - set this checkbox (ESR-10 in the OTT mode assumes working only with passing local client traffic to the network of the provider for which OTT device is connected).
And click "Accept".
6. In the menu "AP initialization rules manager", open the tab "Links" and select the default OTT link (it is assumed that it was configured before during congiguration of AP OTT connections):
and click "Edit".
7. In the opened window, click the arrow on the right to select "OTT custom config" that will be used by ESR-10 after its connection to the SA.
8. Select the configuration "default" created before and click "Accept".
9. Check the selected configuration:
and click "Accept".
10. Close the window "AP initialization rules manager". Preconfiguration is completed. When connected, ESR-10 will be put into the default domain. After that, it can be put into a client domain and configured according to a client's requirements
Before connecting a client, a connection scheme should be determined (how client traffic will pass from AP). Several ways are possible:
1) user traffic is tagged with a relevant vlan ID and sent to the uplink (gi1/0/1) of ESR-10 connection;
2) user traffic is untagged - in this case, only connection via the interfaces gi1/0/2 - gi1/0/6 is possible;
3) user traffic is tagged, but a special port (not uplink) gi1/0/2-gi1/0/6 ESR-10 is used for connection.
MAC address of ESR-10 that will be set up for a client can be either known or unknown. It will most likely be unknown, so in the example given below, ESR-10 will be put into a default domain by a default link at the first connection, then it will be moved into a required domain. Custom configuration will be assigned to an appeared link. Then reset will be performed for the ESR to get new information.
In the example given below, it is assumed that tagged traffic from a client's access points passes through ESR-10 uplink. Two SSID are used in their respective vlan: SSID 1 VID 701 and SSID2 VID 702, they come to the same bridge with location SSID12.
Configuration of services and tariffs is done in the same way as for the classic scheme with BRAS. Existing services and tariffs can be used. New ones can also be created. In the example given, it is assumed that a new service and tariff are created for the scheme with OTT. The WELCOME service remains the same.
1. Open the Admin Panel, select the tab "Services and tariffs" → "PCRF services" and click "Add":
1) "Service's name" - "OTTinternet";
2) "Domain" - specify a domain;
3) "Traffic's class" - "INTERNET";
4) "Account interim interval" - "600";
5) "Priority" - "10";
6) "Ability transition of IP flows" - select "Allow IP flow both direction".
Click "Save".
2. Open the tab "Services and tariffs" → "Tariffs", select a filter "PCRF/BRAS" and click "Add":
1) "Name" - tariff name;
2) "Tariff's code" - tariff code;
3) "Domain" - tariff domain (it should be the same as a domain of a service that will be used in the tariff);
4) "Time of session life" - "12" hours;
5) "Time of session life if user is inactive" - "10" minutes;
6) "Account interim interval" - "600" seconds;
7) "Services" - select the service "OTTinternet" configured before;
And click "Save".
Portal configuration is done in the same way as for the classic scheme with BRAS. An existing portal can be used. New one can also be created. In the example below, a new portal will be created. BRAS interaction is assumed to have been configured.
1. Open the Portal Constructor, click "New portal":
1) "Virtual portal name" - enter the name;
2) "Domain" - select a domain;
Click "Save".
2. Open the menu "Tariffs". Delete the default tariff for AP and add the tariff "OTT_bras" created before.
Click "Save".
SSID configuration and linking is done in the same way as for tariffs using BRAS: "Wireless" → "SSID Manager" → "Add SSID":
Configuring SSID1.
Select the mode "tunnel" in the field "VAP traffic mode" to provide an opportunity to use shapers on ESR-10 in BRAS mode (for such SSID shaper profiles are created).
SSID2 is configured in a similar way:
Create links to a domain where ESR-10 will be put.
L2 subnetworks are created in the "Admin Panel". As IP address is assigned to a management device via DHCP, it can be changed during operation. To do this, a special type of L2 subnetworks has been implemented for the OTT scheme (and for any scheme using BRAS on ESR-10) - "MAC, static". The main marker for determining L2 subnetwork affiliation is NAS MAC. NAS IP is updated in the following cases:
1) management address is changed (SNMP trap of ESR-10 presence is sent to the same MAC from another address);
2) during initialization;
3) during reinitialization.
In these cases, the entry "Notify PCRF about IP changes for MAC-based subnets" will be added to the log.
In the example given, two L2 subnetworks will be required - for SSID1 and SSID2.
In the Admin Panel, open the tab "PCRF settings" → "L2 subnets" and click "Add":
Enter:
Name - "SSID1";
1) "NAS IP" - do not fill (but if necessary, IP address can be specified or changed manually);
2) "Type" - select "MAC, static", enter ESR-10 MAC address;
3) "VRF" - check "Default VRF value";
4) "Location" - specify location gi1/0/1.701 (sub-interface to which traffic will come from SSID1);
5) "Service domain" - select SSID service domain;
6) "AP domain" - select a domain into which ESR-10 will be put.
7) "SSID" - select a required SSID (SSID1 in this case);
Click "Save".
Configure a L2 subnetwork for SSID2 in a similar way:
1. Open the menu "AP initialization rule manager", select the tab "OTT custom config" and click "Add":
Fill in the fields "Name" and "Domain", the field "Device type" will be already filled with "ESR-10". Click "Accept".
2. In the opened window, specify the configuration:
Configuration
hostname ESR10-OTT-of1
object-group service dns
port-range 53
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service snmp
port-range 161-162
exit
object-group service redirect
port-range 3128-3129
port-range 3130-3131
exit
object-group network natpool
ip prefix 192.168.1.0/24
exit
object-group network SoftWLC
ip address-range 192.168.42.178
exit
radius-server timeout 10
radius-server retransmit 5
radius-server host 192.168.42.178
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-interface bridge 1
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 192.168.42.178
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
line console
aaa disable
exit
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone user
exit
ip access-list extended WELCOME
rule 1
action permit
match protocol tcp
match destination-port 443
enable
exit
rule 2
action permit
match protocol tcp
match destination-port 8443
enable
exit
rule 3
action permit
match protocol tcp
match destination-port 80
enable
exit
rule 4
action permit
match protocol tcp
match destination-port 8080
enable
exit
exit
ip access-list extended INTERNET
rule 1
action permit
enable
exit
exit
ip access-list extended unauthUSER
rule 1
action permit
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match destination-port 53
enable
exit
exit
subscriber-control filters-server-url http://192.168.42.178:7070/filters/file
subscriber-control
aaa das-profile COA
aaa sessions-radius-profile PCRF
aaa services-radius-profile PCRF
nas-interface bridge 1
session mac-authentication
bypass-traffic-acl unauthUSER
default-service
class-map unauthUSER
filter-name remote gosuslugi
filter-action permit
default-action redirect http://192.168.42.178:8080/eltex_portal/
session-timeout 600
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 192.168.42.178
source-interface bridge 1
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
security-zone trusted
ip address dhcp
ip dhcp client ignore dns-nameserver
ip dhcp client ignore router
enable
exit
bridge 11
security-zone user
ip address 192.168.1.1/24
service-subscriber-control any
location SSID12
enable
exit
interface gigabitethernet 1/0/1
description "UPLink"
ip address dhcp
security-zone untrusted
exit
interface gigabitethernet 1/0/1.701
bridge-group 11
exit
interface gigabitethernet 1/0/1.702
bridge-group 11
exit
interface gigabitethernet 1/0/2
shutdown
exit
interface gigabitethernet 1/0/3
shutdown
exit
interface gigabitethernet 1/0/4
shutdown
exit
interface gigabitethernet 1/0/5
shutdown
exit
interface gigabitethernet 1/0/6
shutdown
exit
interface loopback 1
exit
tunnel gre 1
keepalive retries 3
keepalive dhcp dependent-interface bridge 1
keepalive dhcp dependent-interface gi1/0/1
mode ethernet
local address xauth ipsec_vpn
remote address xauth ipsec_vpn management-ip
enable
exit
tunnel gre 1.1
bridge-group 1
snmp init-trap
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 10
action permit
enable
exit
exit
security zone-pair user self
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol tcp
match destination-port redirect
enable
exit
rule 30
action permit
match protocol udp
match destination-port dns
enable
exit
exit
access profile acc_p
exit
security ike proposal ike_prop
exit
security ike policy ike_pol
authentication method xauth-psk-key
authentication mode client
proposal ike_prop
exit
security ike gateway ike_gw
ike-policy ike_pol
assign-interface loopback 1
local interface gigabitethernet 1/0/1
remote network dynamic client
mode policy-based
dead-peer-detection action restart
dead-peer-detection interval 10
exit
security ipsec proposal ipsec_prop
exit
security ipsec policy ipsec_pol
proposal ipsec_prop
exit
security ipsec vpn ipsec_vpn
mode ike
ike establish-tunnel immediate
ike gateway ike_gw
ike ipsec-policy ipsec_pol
enable
exit
nat source
ruleset NAT
to interface gigabitethernet 1/0/1
rule 10
match source-address natpool
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool lan
network 192.168.1.0/24
max-lease-time 000:00:20
default-lease-time 000:00:10
address-range 192.168.1.2-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit
and click "Accept".
A link between OTT custom configuration and ESR can be created in two ways:
1) A default OTT link was used for ESR-10, and it was put into the default domain
In thic case, ESR-10 MAC address becomes known after device installation.
1. Find it in the OTT device initialization default domain, select it and put into a required domain:
after the device is moved, A custom OTT link will be created.
2. Open "Wireless" → "AP initialization rules manager" → "OTT links" and find a link:
3. Select the link found and click "Edit":
4. In the opened window, click the arrow to the right of "OTT custom config" and select a configuration corresponding to this ESR-10 in the opened window.
click "Accept".
5. "OTT custom config" has changed for this link:
click "Accept".
Close "AP initialization rule manager".
5. Click the right mouse button on "ESR-10" and select "Device tools" → "Reboot the device".
After some time, the device will reset, request the SA and get a new configuration.
6. After device configuration, perform reinitialization by rule link. To do this, select a domain where the device is initialized, open the tab "Device list" and select ESR-10 in the section "Group operations" → "AP reinitialization by rule". Click "Execute":
The status of implementation can be seen in the panel "Tasks" of the appeared task.
7. After that, the device is ready to go - performance check can be done.
1. Creating an initialization rule for ESR-10 in the OTT mode. Open the tab "Wireless" → "AP initialization rules manager" → "Rules" and click "Add":
Select:
1) "Device type" - "ESR-10";
2) "Rule name" - "ESR-10-OTT" (another name can be specified);
3) "Add AP to RADIUS" - enable this checkbox;
4) "Secret" - "testing123";
5) "Firmware update protocol" - select "FTP";
6) "SNMP transport" - "UDP";
7) "SNMP Community (read only)" - "public11" (minimum community length on ESR is 8 characters);
8) "SNMP Community (read/write)" - "private1";
9) ESR mode - "StationCE" (a new parameter has been added, which means the device interacts with PCRF, and tunnel establishment is not required);
10) "BRAS service" - set this checkbox (ESR-10 in the OTT mode assumes working only with passing local client traffic to the network of the provider for which OTT device is connected).
And click "Accept".
2. Open the tab "Wireless" → "AP initialization rules manager" → "Links" and click "Add":
In the opened window specify:
1) "Device name" - the name that will be displayed in EMS;
2) "Key" - ESR-10 MAC address;
3) "Rule name" - select an initialization rule created before;
4) "Node domain" - specify the domain for device initialization;
5) OTT (Over-the-top) - enable this checkbox;
6) OTT custom config - select configuration created for the client.
Click "Accept":
It can be seen that initialization rule link has been performed successfully.
ESR-10 will be initialized within a required domain and ready to go right after its activation.
Configuration received by ESR-10 from the Service Activator (hereinafter the "SA") consists of two parts - the first one contains IPsec parameters, update-timer, wait-timer, administrator password (admin) in JSON format. The second part contains CLI configuration in text format as set of CLI commands. All the parameters are keeped in one file.
If a part containing CLI in SA response received is empty, an error has occurred. This configuration will not be applied, an error code will be sent to the SA. ESR-10 will request the SA upon wait-timer expiry.
If a configuration contains wrong and non-existent commands, such a configuration will not be applied, an error code will be sent to the SA. ESR-10 will request the SA upon wait-timer expiry.
If a configuration contains incomplete settings that require other settings to be enabled, such a configuration will be applied, but incomplete settings will not be enabled.
If a configuration contains settings that are also passed by the Service Activator in IPsec connection parameters, the ones specified in the configuration will be used.
Configuration received by ESR-10 from the SA in the CLI part, is created in the tab "OTT custom config" of the meny "AP initialization rules manager". Parts of configuration containing uplink, IPsec, GRE settings, should be described in a certain way. Their change is unacceptable, as it will lead to configuration disability after applying (in this case, ESR will rollback to factory-config via ESR-10 wait-timer and send the error message to the SA).
OTT connection establishment implies having suboption 15 of option 43 when getting an address by the management interface (it will always be bridge 1). If an address with this option has not been received during wait-timer, connection is considered as failed. Configuration will rollback to factory-config, and the error message will be sent to the Service Activator. A request to the Service Activator will be repeated on the wait-timer expiry.
Untagged client traffic from SSID should not be passed via uplinks.
It is recommended to use a bridge with subinterfaces or physical interfaces for client termination. If BRAS is used on a physical interface or on a subinterface, it will require configuring two L2 subnetworks for each interface (the first subnetwork will contain location with the interface; the second one will contain the interface in the format of gi1/0/2 or gi1/0/2.100)
For a default initialization rule, create a configuration "default" and provide a minimum necessary configuration to establish IPsec, get a management address and sent a presence trap to the system. Configuration name may differ. ESR-10 will appear in the default domain with this configuration. There will be an opportunity to manage it via EMS, but clients cannot work with this configuration. This configuration will be used only in situations when MAC address of a client's ESR-10 is unknown. After that, ESR-10 should be put into another domain. Another custom link will be created for it, and it will be possible to choose another custom configuration. A custom link can be also created in advance with required configuration provided for a client.
An example of ESR-10 configuration after applying parameters from SA is given below. Parameters that should not be specified in "OTT custom config" are shaded gray.
hostname ESR10-OTT
object-group network SoftWLC
ip address-range 192.168.42.178
exit
line console #Deny access fron the console to ESR10
aaa disable
exit
security zone trusted
exit
security zone untrusted
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 192.168.42.178
source-interface bridge 1
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1 #bridge 1 will also be used for management, settings should remain the same
security-zone trusted
ip address dhcp
ip dhcp client ignore router
enable
exit
interface gigabitethernet 1/0/1 #The interface gi1/0/1 will always be used as an uplink, settings should remain the same
description "UPLink"
ip address dhcp
security-zone untrusted
exit
interface gigabitethernet 1/0/2
shutdown
exit
interface gigabitethernet 1/0/3
shutdown
exit
interface gigabitethernet 1/0/4
shutdown
exit
interface gigabitethernet 1/0/5
shutdown
exit
interface gigabitethernet 1/0/6
shutdown
exit
interface loopback 1
exit
tunnel gre 1 #GRE tunnel number is reserved - it should not be changed
mtu 1356 #do not specify - will be received from the SA (ipsec gre-mtu-offset)
keepalive retries 3 #do not specify - will be received from the SA (ipsec gre-ping-counter)
keepalive dst-address 10.2.0.1 #do not specify - will be received via DHCP in suboption 15 of option 43
keepalive dhcp dependent-interface bridge 1
keepalive dhcp dependent-interface gi1/0/1
keepalive enable #do not specify - GRE keepalive will be enabled automatically when received via DHCP in suboption 15 of option 43
mode ethernet
local address xauth ipsec_vpn #the address will be received via mode-cfg when establishing IPsec connection, the name IPsec VPN is reserved and cannot be changed
remote address xauth ipsec_vpn management-ip #the address will be received via mode-cfg when establishing IPsec connection, the name IPsec VPN is reserved and cannot be changed
enable
exit
tunnel gre 1.1 #sub-GRE tunnel number is reserved and cannot be changed
bridge-group 1
mtu 1352 #do not specify - will be received from the SA (ipsec gre-mtu-offset)
snmp init-trap
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address SoftWLC
enable
exit
exit
access profile acc_p #the name is reserved and cannot be changed
user a8:f9:4b:ab:81:20 #do not specify - will be received from the SA (ipsec xauth-user)
password ascii-text encrypted 9FB30B49E43D47FAC32E0994C89C75B81313F0F038CC02FC #do not specify - will be received from the SA (ipsec xauth-password)
exit
exit
security ike proposal ike_prop #the name is reserved and cannot be changed
authentication algorithm md5 #do not specify - will be received from the SA (ipsec auth-alg)
encryption algorithm aes128 #do not specify - will be received from the SA (ipsec encrypt-alg)
dh-group 1 #do not specify - will be received from the SA (ipsec dh-group)
exit
security ike policy ike_pol #the name is reserved and cannot be changed
lifetime seconds 86400 #do not specify - will be received from the SA (ipsec lifetime)
pre-shared-key ascii-text testing123 #do not specify - will be received from the SA (ipsec password)
authentication method xauth-psk-key
authentication mode client
proposal ike_prop
exit
security ike gateway ike_gw #the name is reserved and cannot be changed
ike-policy ike_pol
assign-interface loopback 1
local interface gigabitethernet 1/0/1
remote address 100.64.0.1 #do not specify - will be received from the SA (ipsec remote-gateway)
remote network dynamic client
mode policy-based
dead-peer-detection action restart
dead-peer-detection interval 10
dead-peer-detection timeout 60 #will be received from the SA (ipsec dpd-delay)
xauth access-profile acc_p client a8:f9:4b:ab:81:20 #do not specify - will be generated on the base of xauth-user received from the SA
exit
security ipsec proposal ipsec_prop #the name is reserved and cannot be changed
authentication algorithm md5 #do not specify - will be received from the SA (ipsec sa-auth-alg)
encryption algorithm aes128 #do not specify - will be received from the SA (ipsec sa-encrypt-alg)
exit
security ipsec policy ipsec_pol #the name is reserved and cannot be changed
lifetime seconds 3600 #do not specify - will be received from the SA (ipsec sa-lifetime)
proposal ipsec_prop
exit
security ipsec vpn ipsec_vpn #the name is reserved and cannot be changed
mode ike
ike establish-tunnel immediate
ike gateway ike_gw
ike ipsec-policy ipsec_pol
enable
exit
ip ssh server
Finally, the following configuration will be obtained and written to custom-config
Configuration in custom-config
hostname ESR10-OTT
object-group network SoftWLC
ip address-range 100.123.0.2
exit
syslog console debug
syslog monitor info
line console
aaa disable
exit
security zone trusted
exit
security zone untrusted
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
source-interface bridge 1
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
security-zone trusted
ip address dhcp
ip dhcp client ignore router
enable
exit
interface gigabitethernet 1/0/1
description "UPLink"
ip address dhcp
security-zone untrusted
service-policy dynamic all
exit
interface gigabitethernet 1/0/2
shutdown
exit
interface gigabitethernet 1/0/3
shutdown
exit
interface gigabitethernet 1/0/4
shutdown
exit
interface gigabitethernet 1/0/5
shutdown
exit
interface gigabitethernet 1/0/6
shutdown
exit
interface loopback 1
exit
tunnel gre 1
keepalive dhcp dependent-interface bridge 1
keepalive dhcp dependent-interface gi1/0/1
mode ethernet
local address xauth ipsec_vpn
remote address xauth ipsec_vpn management-ip
enable
exit
tunnel gre 1.1
bridge-group 1
snmp init-trap
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address SoftWLC
enable
exit
exit
access profile acc_p
exit
security ike proposal ike_prop
exit
security ike policy ike_pol
authentication method xauth-psk-key
authentication mode client
proposal ike_prop
exit
security ike gateway ike_gw
ike-policy ike_pol
assign-interface loopback 1
local interface gigabitethernet 1/0/1
remote network dynamic client
mode policy-based
dead-peer-detection action restart
dead-peer-detection interval 10
exit
security ipsec proposal ipsec_prop
exit
security ipsec policy ipsec_pol
proposal ipsec_prop
exit
security ipsec vpn ipsec_vpn
mode ike
ike establish-tunnel immediate
ike gateway ike_gw
ike ipsec-policy ipsec_pol
enable
exit
ip ssh serverDefault part of the configuration used for OTT installation remains the same. A client termination interface (bridge) on which BRAS works is added to it. Tagged traffic from SSID is received via subinterfaces that are grouped into a client bridge. To do that, any interfaces including uplink ones can be used. Untagged traffic from SSID can be received via ports gi1/0/2-6 (uplink gi1/0/1 should not be used for this purpose). To tag traffic in access mode, the same vlan as in bridge settings is used. Clients access the Internet using NAT via a current uplink address.
Configuration in which Internet access is provided via gi1/0/1, traffic from SSID1 and SSID1 comes to the same port with the tags 2314 and 2315 respectively. Both vlans are grouped into one client bridge 11 using subinterfaces. Clients access the Internet via NAT using the uplink gi1/0/1.
Configuration
hostname ESR10-OTT-BR-1
ip firewall sessions classification enable
object-group service dns
port-range 53
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service redirect
port-range 3128-3129
port-range 3130-3131
exit
object-group network natpool
ip prefix 198.19.253.0/24
exit
object-group network SoftWLC
ip address-range 192.168.42.178
exit
radius-server timeout 10
radius-server retransmit 5
radius-server host 192.168.42.178
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-interface bridge 1
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 192.168.42.178
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
line console
aaa disable
exit
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone user
exit
ip access-list extended WELCOME
rule 1
action permit
match protocol tcp
match destination-port 443
enable
exit
rule 2
action permit
match protocol tcp
match destination-port 8443
enable
exit
rule 3
action permit
match protocol tcp
match destination-port 80
enable
exit
rule 4
action permit
match protocol tcp
match destination-port 8080
enable
exit
exit
ip access-list extended INTERNET
rule 1
action permit
enable
exit
exit
ip access-list extended unauthUSER
rule 1
action permit
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match destination-port 53
enable
exit
exit
subscriber-control filters-server-url http://192.168.42.178:7070/filters/file
subscriber-control
aaa das-profile COA
aaa sessions-radius-profile PCRF
aaa services-radius-profile PCRF
nas-interface bridge 1
session mac-authentication
bypass-traffic-acl unauthUSER
default-service
class-map unauthUSER
filter-name remote gosuslugi
filter-action permit
default-action redirect http://192.168.42.178:8080/eltex_portal/
session-timeout 600
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 192.168.42.178
source-interface bridge 1
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
bridge 1
security-zone trusted
ip address dhcp
ip dhcp client ignore dns-nameserver
ip dhcp client ignore router
enable
exit
bridge 11
security-zone user
ip address 198.19.253.1/24
service-subscriber-control any
location SSID12
enable
exit
interface gigabitethernet 1/0/1
description "UPLink"
ip address dhcp
security-zone untrusted
service-policy dynamic all
exit
interface gigabitethernet 1/0/1.2314
bridge-group 11
exit
interface gigabitethernet 1/0/1.2315
bridge-group 11
exit
interface gigabitethernet 1/0/2
shutdown
exit
interface gigabitethernet 1/0/3
shutdown
exit
interface gigabitethernet 1/0/4
shutdown
exit
interface gigabitethernet 1/0/5
shutdown
exit
interface gigabitethernet 1/0/6
shutdown
exit
interface loopback 1
exit
tunnel gre 1
keepalive retries 3
keepalive dhcp dependent-interface bridge 1
keepalive dhcp dependent-interface gi1/0/1
mode ethernet
local address xauth ipsec_vpn
remote address xauth ipsec_vpn management-ip
enable
exit
tunnel gre 1.1
bridge-group 1
snmp init-trap
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 10
action permit
enable
exit
exit
security zone-pair user self
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol tcp
match destination-port redirect
enable
exit
rule 30
action permit
match protocol udp
match destination-port dns
enable
exit
exit
access profile acc_p
exit
security ike proposal ike_prop
exit
security ike policy ike_pol
authentication method xauth-psk-key
authentication mode client
proposal ike_prop
exit
security ike gateway ike_gw
ike-policy ike_pol
assign-interface loopback 1
local interface gigabitethernet 1/0/1
remote network dynamic client
mode policy-based
dead-peer-detection action restart
dead-peer-detection interval 10
exit
security ipsec proposal ipsec_prop
exit
security ipsec policy ipsec_pol
proposal ipsec_prop
exit
security ipsec vpn ipsec_vpn
mode ike
ike establish-tunnel immediate
ike gateway ike_gw
ike ipsec-policy ipsec_pol
enable
exit
nat source
ruleset NAT
to interface gigabitethernet 1/0/1
rule 10
match source-address natpool
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool lan
network 198.19.253.0/24
max-lease-time 000:00:20
default-lease-time 000:00:10
address-range 198.19.253.2-198.19.253.254
default-router 198.19.253.1
dns-server 198.19.253.1
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 192.168.42.178
exit
Configuration in which uplink is connected via gi1/0/1, and access points are connected via gi1/0/2 - tagged traffic with the tag 701; gi1/0/3 - untagged traffic that will be tagged with 701.
Configuration
hostname ESR10-OTT-BRip firewall sessions classification enableroot login enabletech-support login enableobject-group service dns port-range 53exitobject-group service dhcp_server port-range 67exitobject-group service dhcp_client port-range 68exitobject-group service redirect port-range 3128-3129 port-range 3130-3131exitobject-group network natpool ip prefix 198.19.253.0/24exitobject-group network SoftWLC ip address-range 192.168.42.178exitvlan 701exitradius-server timeout 10radius-server retransmit 5radius-server host 192.168.42.178 key ascii-text encrypted 88B11079B9014FAAF7B9 timeout 11 priority 20 source-interface bridge 1 auth-port 31812 acct-port 31813 retransmit 10 dead-interval 10exitaaa radius-profile PCRF radius-server host 192.168.42.178exitdas-server COA key ascii-text encrypted 88B11079B9014FAAF7B9 port 3799 clients object-group SoftWLCexitaaa das-profile COA das-server COAexitline console aaa disableexitdomain lookup enablesecurity zone trustedexitsecurity zone untrustedexitsecurity zone userexitip access-list extended WELCOME rule 1 action permit match protocol tcp match destination-port 443 enable exit rule 2 action permit match protocol tcp match destination-port 8443 enable exit rule 3 action permit match protocol tcp match destination-port 80 enable exit rule 4 action permit match protocol tcp match destination-port 8080 enable exitexitip access-list extended INTERNET rule 1 action permit enable exitexitip access-list extended unauthUSER rule 1 action permit match protocol udp match source-port 68 match destination-port 67 enable exit rule 2 action permit match protocol udp match destination-port 53 enable exitexitsubscriber-control filters-server-url http://192.168.42.178:7070/filters/filesubscriber-control aaa das-profile COA aaa sessions-radius-profile PCRF aaa services-radius-profile PCRF nas-interface bridge 1 session mac-authentication bypass-traffic-acl unauthUSER default-service class-map unauthUSER filter-name remote gosuslugi filter-action permit default-action redirect http://192.168.42.178:8080/eltex_portal/ session-timeout 600 exit enableexitsnmp-serversnmp-server system-shutdownsnmp-server community "public11" rosnmp-server community "private1" rwsnmp-server host 192.168.42.178 source-interface bridge 1exitsnmp-server enable trapssnmp-server enable traps configsnmp-server enable traps config commitsnmp-server enable traps config confirmsnmp-server enable traps environmentsnmp-server enable traps environment memory-flash-critical-lowsnmp-server enable traps environment memory-flash-lowsnmp-server enable traps environment memory-ram-critical-lowsnmp-server enable traps environment memory-ram-lowsnmp-server enable traps environment cpu-loadsnmp-server enable traps environment cpu-critical-tempsnmp-server enable traps environment cpu-overheat-tempsnmp-server enable traps environment cpu-supercooling-tempsnmp-server enable traps file-operationssnmp-server enable traps file-operations successfulsnmp-server enable traps file-operations failedsnmp-server enable traps file-operations canceledsnmp-server enable traps interfacessnmp-server enable traps interfaces rx-utilization-highsnmp-server enable traps interfaces tx-utilization-highsnmp-server enable traps interfaces number-highsnmp-server enable traps brassnmp-server enable traps bras sessions-number-highsnmp-server enable traps screensnmp-server enable traps screen dest-limitsnmp-server enable traps screen source-limitsnmp-server enable traps screen icmp-thresholdsnmp-server enable traps screen udp-thresholdsnmp-server enable traps screen syn-floodsnmp-server enable traps screen landsnmp-server enable traps screen winnukesnmp-server enable traps screen icmp-fragsnmp-server enable traps screen udp-fragsnmp-server enable traps screen icmp-largesnmp-server enable traps screen syn-fragsnmp-server enable traps screen unknown-protosnmp-server enable traps screen ip-fragsnmp-server enable traps screen port-scansnmp-server enable traps screen ip-sweepsnmp-server enable traps screen syn-finsnmp-server enable traps screen fin-no-acksnmp-server enable traps screen no-flagsnmp-server enable traps screen spoofingsnmp-server enable traps screen reservedsnmp-server enable traps screen quenchsnmp-server enable traps screen echo-requestsnmp-server enable traps screen time-exceededsnmp-server enable traps screen unreachablesnmp-server enable traps screen tcp-all-flagssnmp-server enable traps entitysnmp-server enable traps entity config-changesnmp-server enable traps entity-sensorsnmp-server enable traps entity-sensor thresholdsnmp-server enable traps envmonsnmp-server enable traps envmon shutdownsnmp-server enable traps envmon temperaturesnmp-server enable traps flashsnmp-server enable traps flash insertionsnmp-server enable traps flash removalsnmp-server enable traps snmpsnmp-server enable traps snmp authenticationsnmp-server enable traps snmp coldstartbridge 1 security-zone trusted ip address dhcp ip dhcp client ignore dns-nameserver ip dhcp client ignore router enableexitbridge 2 vlan 701 security-zone user ip address 198.19.253.1/24 service-subscriber-control any location SSID12 enableexitinterface gigabitethernet 1/0/1 description "UPLink" ip address dhcp security-zone untrusted service-policy dynamic allexitinterface gigabitethernet 1/0/2.702 bridge-group 2exitinterface gigabitethernet 1/0/3 mode switchport switchport access vlan 701exitinterface gigabitethernet 1/0/4 shutdownexitinterface gigabitethernet 1/0/5 shutdownexitinterface gigabitethernet 1/0/6 shutdownexitinterface loopback 1exittunnel gre 1 keepalive retries 3 keepalive dhcp dependent-interface bridge 1 keepalive dhcp dependent-interface gi1/0/1 mode ethernet local address xauth ipsec_vpn remote address xauth ipsec_vpn management-ip enableexittunnel gre 1.1 bridge-group 1 snmp init-trap enableexitsecurity zone-pair untrusted self rule 1 action permit match protocol icmp enable exitexitsecurity zone-pair trusted self rule 1 action permit enable exitexitsecurity zone-pair user untrusted rule 10 action permit enable exitexitsecurity zone-pair user self rule 10 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit rule 20 action permit match protocol tcp match destination-port redirect enable exit rule 30 action permit match protocol udp match destination-port dns enable exitexitaccess profile acc_pexitsecurity ike proposal ike_propexitsecurity ike policy ike_pol authentication method xauth-psk-key authentication mode client proposal ike_propexitsecurity ike gateway ike_gw ike-policy ike_pol assign-interface loopback 1 local interface gigabitethernet 1/0/1 remote network dynamic client mode policy-based dead-peer-detection action restart dead-peer-detection interval 10 dead-peer-detection timeout 60exitsecurity ipsec proposal ipsec_propexitsecurity ipsec policy ipsec_pol proposal ipsec_propexitsecurity ipsec vpn ipsec_vpn mode ike ike establish-tunnel immediate ike gateway ike_gw ike ipsec-policy ipsec_pol enableexitnat source ruleset NAT to interface gigabitethernet 1/0/1 rule 10 match source-address natpool action source-nat interface enable exit exitexitip dhcp-serverip dhcp-server pool lan network 198.19.253.0/24 max-lease-time 000:00:20 default-lease-time 000:00:10 address-range 198.19.253.2-198.19.253.254 default-router 198.19.253.1 dns-server 198.19.253.1exitip telnet serverip ssh serverclock timezone gmt +7ntp enablentp server 192.168.42.178exit If a connection error occurs, ESR-10 will reset to factory configuration and send and error code to the SA. After 5 minutes or after expiry of the wait-timer, if it has been received, connect to the SA again.
error code | description |
0 | Error in application of configuration received from the SA |
3 | Incorrect IPsec parameters in case if some IPsec parameters are empty |
16 | Suboption 15 of option 43 containing an address for GRE keepalive has not been received on the management interface during wait timer |
17 | Empty data in the section "OTT custom config" of the SA response |