General information
An example of implementation of a fault-tolerant scheme for enabling ESRs operating in wireless-controller mode is shown in Fig. 1:
Fig. 1.
As can be seen from the scheme shown in Fig. 1:
- ESR redundancy is performed using the VRRP protocol, according to the "Active-Standby" scheme;
- to exclude the switch to which the ESR is connected as a single point of failure, stacking switches are included using link aggregation. The physical links of the ESR used in the aggregated link are included in different switches of the stack.
Traffic processing is performed by the ESR VRRP MASTER. In case of its failure, the VRRP mastery is taken over by the ESR VRRP BACKUP. Last-mile router redundancy (NAT router in Fig. 1) is not covered in this paper. It can be accomplished in the same way using VRRP or by using a different enabling scheme (this scheme can be found in Configuring ESR in wireless-controller mode with last-mile router redundancy).
When using channel aggregation on ESR you cannot use sub-interfaces on the "port-channel" interface.
Enabling scheme
The enabling scheme will be considered on the example of real addressing shown in Table 1.
Table 1.
| Description | Bridge | VLAN | Subnetwork | ESR VRRP MASTER IP address | VRRP IP | ESR VRRP BACKUP IP address |
|---|---|---|---|---|---|---|
| GRE termiation addresses | bridge 1 | 2308 | 192.168.200.16/28 | 192.168.200.19/28 | 192.168.200.17/32 192.168.200.18/32 | 192.168.200.20/28 |
| AP addresses configuration subnetwork (secondary addresses) | bridge 3 | 3 | 10.255.252.0/23 | 10.255.252.2/23 | 10.255.252.1/32 | 10.255.252.3/23 |
| Subnetwork for interaction with SoftWLC | bridge 4 | 2300 | 100.123.0.0/24 | 100.123.0.173/24 | 100.123.0.174/32 | 100.123.0.175/24 |
| Access to the Internet | bridge 5 | 2301 | 172.16.0.0/28 | 172.16.0.2/28 | 172.16.0.4/32 | 172.16.03/28 |
| SSID1 AP clients subnetwork | bridge 10 | 10 | 198.18.148.0/22 | 198.18.148.2/22 | 198.18.148.1/32 | 198.18.148.3/22 |
| SSID2 AP clients subnetwork | bridge 11 | 11 | 198.18.152.0/22 | 198.18.152.2/22 | 198.18.152.1/32 | 198.18.152.3/22 |
| Primary AP addresses subnetwork | -- | 100 | 192.168.240.0/23 | -- | -- | -- |
The network scheme is shown in Fig.2:
Fig. 2.
A chematic diagram of the ESR configuration architecture is shown on Fig.3:
Fig. 3.
- Access to the Internet is performed in vlan 2301, using the default gateway 172.16.0.1 (router-NAT) for the default route. User egress is done by routing to router-NAT, which performs NAT translation of user addresses to the Internet.
- ESR control network is located in vlan 2300, subnet 100.123.0.0/24, which is also used for interaction with SoftWLC complex (ip address 100.123.0.2).
- APs receive the primary IP address from 192.168.240.0/23 network via DHCP-relay switch/router from the DHCP server installed on the server with SoftWLC. In option 43, suboptions 11 and 12, 2 addresses are passed to raise GRE tunnels: 192.168.200.17 and 192.168.200.18 (see description of How to configure option 43, and other DHCP configuration aspects). In this case, all traffic from the APs will be untagged. The APs raise 2 EoGRE tunnels from the primary address received via DHCP to the addresses received in suboptions 11 and 12:
- in Management GRE tunnel to the address 192.168.200.17 with vlan id = 1, the AP management traffic is transmitted.
- in Data GRE tunnel to the address 192.168.200.18 with vlan id = N, the traffic of users connected to the AP, on which SSID is configured (in the given example vlans 10 and 11) is transmitted. - Through Management GRE tunnel (vlan id 1) DHCP requests are received from the AP, which are redirected to SoftWLC using DHCP-relay on ESR. The DHCP server configured on SoftWLC issues an IP address from the network 10.255.252.0/23 for the AP, the gateway will be bridge 3 ESR with the address 10.255.252.1. In option 43.10 the address of SoftWLC server is passed: 10.123.0.2, (see the description of How to configure option 43, and other DHCP configuration aspects). The same address will be used to exchange service information between the AP and SoftWLC.
- SSID 1 and SSID 2 are configured on the AP using SoftWLC complex, which will tag user traffic with vlan 10 and 11 tag respectively. All user traffic will be forwarded from vlan 10 and 11 inside Data GRE tunnel to ESR. DHCP client requests using DHCP relay ESR will be forwarded to SoftWLC. Users get addresses from bridge 10 ESR network 198.18.148.0/22, gateway address 198.18.148.1. Bridge 11 ESR users get addresses from network 198.18.152.0/22, gateway address 198.18.152.1.
As can be seen from the addressing in Table 1 and the scheme in Fig. 3, six VRRP instances will be used in the configuration - for all interfaces. This is necessary to make both ESRs appear as one device from the routing point of view (EMS and PCRF will communicate with both ESRs using their real addresses).
There are the following requirements for VRRP configuration:
- All VRRP instances must be included in the same group, in this example this would be "vrrp group 1". This will ensure that all instances in the same group will always be in the same VRRP MASTER or BACKUP state and will prevent a non-consistent VRRP state where the same ESR has different VRRP states on different interfaces.
- All VRRP instances of each router must have the same priority - in the current example, for the ESR VRRP MASTER is 200 and for the ESR VRRP BACKUP is 100.
- The current example uses the "vrrp preempt disable" setting, which prevents a higher priority VRRP instance from capturing mastery if the lower priority instance is already in the master state - it must be configured the same on all routers (you can choose not to use this setting, but doing so will cause the higher priority VRRP router to always capture mastery, which can lead to unwanted mastery switches).
To enable VRRP functionality on each Bridge ESR configure the following:
bridge <№> vrrp id <значение приоритета> vrrp ip <IP-адрес VRRP> vrrp priority <приоритет> vrrp group <№ группы> vrrp preempt disable vrrp exit
WiFi must also be enabled on the subnet interfaces of the AP management address subnets and user subnets:
bridge <№> ports vrrp filtering enable ports vrrp filtering exclude vlan exit
The "ports vrrp filtering enable" setting will prevent VRRP announcements from being sent to user tunnels, and the "ports vrrp filtering exclude vlan" setting will allow VRRP announcements to be sent to the Bridge vlan for VRRP to work correctly.
Важно!
If the "vrrp preempt disable" setting is not used, it is necessary to set "vrrp preempt delay <time in seconds>" to at least 180 seconds in the VRRP configurations on the interfaces. This will prevent the higher priority router from immediately seizing mastery after booting. If this is not done, the router that captured the VRRP mastery after booting will not have time to synchronize the state of the AP tunnels and they will be brought up again as the AP triggers the gre keepalive mechanism.
ESR configuration
ESR tuning will be considered on an example based on the circuit shown in Fig. 3. The wireless-controller configuration will use the SoftGRE dynamic tunnel configuration profile. Do not forget that a license is required to access the wirless-controller functionality (more details can be found in the Configuring ESR by connecting AP via L3 access network (WiFi L3 diagram)).
Configure the necessary initial settings, they will be the same for both ESRs:
We configure the port-channel interface, assign it the necessary vlan and include physical interfaces in it, this configuration will also be the same on both ESRs:
If tengigabitethernet interfaces are used in the port-channel configuration - you must explicitly specify the speed on the port-channel interface:
The "speed 1000M" is the default value and is not displayed in the configuration.
Next, configure the Bridge type interfaces for vlan termination and VRRP operation:
As you can see from the configuration above, the settings differ only in terms of IP addresses and VRRP priority value.
Let us configure routing: specify the default route and the route to the subnet of the primary addresses of the AP:
Configure the interaction with radius server:
Configure the wireless-controller:
Let's pay attention to the "vrrp-group 1" parameter in the wireless-controller settings. Thus, the router in the VRRP master state will transmit information about the raised tunnels for AP to the neighbor specified in the "peer-address" setting, and the router in the VRRP backup state will form tunnels for AP using the received information.
Configure the firewall:
Note that VRRP traffic is allowed for all security zones in the self direction.
The complete ESR configuration is as follows:
Adding an ESR to the EMS tree
Both ESRs with real interface address 100.123.0.173 and 100.123.0.175 respectively should be added to the EMS tree. The VRRP address 100.123.0.174 will be used as a gateway for routes to the AP management and WiFi user subnets, it will not appear anywhere in the EMS.
Add ESR-VRRP-MASTER - open EMS, stand on the node to which we plan to add ESR and click the "+" button located at the top left of the node tree:
Fig. 4.
In the window that opens, in the field:
- "Object name" - specify random ESR name "ESR-VRRP-MASTER".
- "Type" - select the type of equipment corresponding to the used type of ESR "ESR1000".
- "IP address" - specify the ESR management address ESR "100.123.0.173".
Click the "Add" button.
After that it is necessary to stand on the added ESR (if it does not appear in the tree - click the button above "" ) open the "Access" tab on the right:
Fig. 5.
In the opened window edit the fields:
- "File protocol" - choose "FTP".
- "Read community" - specify the name of SNMP RO community, configured earlier "public11".
- "Write community" - specify the name of SNMP RW community, configured earlier "private1".
- "Add the VRRP" - check the box. This setting must be enabled when using redundancy with VRRP for the tunnel destruction functionality to work correctly on ESR.
When adding ESR-100/200, the value of the "ESR mode" field will be "StationCE".
In this case it is necessary to change the field value to "Station", otherwise such ESR will not be used to build data tunnels for AP.
Change the radius password that will be used when interacting with the ESR. To do this, open "RADIUS" → "Access Point Management" in the EMS menu. Select the previously added ESR (in case of a large number of devices you can filter by ESR IP address) and click the "Edit" button:
Fig. 6.
In the opened window in the "Key" field set the previously configured for ESR key "testing123" and click "Accept".
Similarly, add ESR-VRRP-BACKUP using its real address 100.123.0.175.
Possible reasons of network failure
Below we will consider possible variants of user traffic passing during normal operation and network failure.
Network operational state
Figure 7 shows the operational state of the network.
Fig. 7.
The traffic of WiFi users connected to the SSID the AP encapsulates in the GRE is routed to the ESR VRRP MASTER (which is in the VRRP MASTER state) where the traffic is decapsulated. Then it is routed to the Internet. The ESR VRRP BACKUP does not participate in traffic processing.
Failure of one of the stack switches
Figure 8 shows the failure state of one of the stack switches to which ESR VRRP MASTER and BACKUP are connected:
Fig. 8.
In this situation, one of the physical interfaces (gi1/0/1 or gi1/0/2) belonging to the port-channel on both ESRs will be disconnected. But, since the remaining interfaces belonging to the port-channel connected to another stack switch will remain in operation, the circuit will remain fully functional and there will be no changes in traffic flow compared to the state before the failure.
Failure of an ESR in the VRRP master state
Figure 9 shows the failure of an ESR in the VRRP MASTER state:
Fig. 9.
In this situation, the VRRP BACKUP ESR, upon detecting the absence of VRRP announcements, will switch to the VRRP MASTER state and begin processing traffic in the same manner as the VRRP ESR MASTER did previously.
Recovery from a failure of an ESR that has a higher VRRP priority
Figure 10 depicts a situation where the ESR VRRP MASTER has returned to operation after a failure:
Fig. 10.
After the ESR VRRP MASTER is brought back online and booted, upon detecting VRRP announcements from the ESR VRRP BACKUP, which is in the VRRP master state, due to the "vrrp preempt disable" setting on the VRRP interfaces, will be in the VRRP backup state and will not attempt to perform a master takeover. Traffic will continue to flow in the preempted state.
Appendixes
Different versions of the spanning-tree protocol family may be used on the switches to which the ESR connects. In this case, it is possible that after the ESR is booted, the switch ports to which it is plugged will not immediately switch to the "forwarding" state and allow traffic to pass. The ESR will then have time to switch to the VRRP MASTER state, which will result in the ESR with a higher VRRP priority taking over the mastery after the traffic transfer starts. There are two ways to avoid this:
- Use a switch-side configuration to allow the ports to which the ESR is connected to transition immediately to the "forwarding" state, or disable the spanning-tree protocol.
- On all ESR interfaces using VRRP protocol, increase the interval of sending messages with the command "vrrp timers advertise" up to the time required for the switch ports to go to the "forwarding" state. But as a result of this configuration, the failure of ESR VRRP MASTER will be detected only after the specified time interval, which will increase the time of traffic switching to the backup ESR.
Example of port-channel configuration on the MES switch side: