High-availability HotSpot Example
Document revision: | 0.3 (Wed Apr 21 09:12:11 GMT 2004) |
Applies to: | V2.8 |
Configuration
Summary
This example demonstrates demployment of high-availability HotSpot point of service.
Related Documents
Description
The following application example discusses redudant HotSpot gateway configuration. HotSpot clients obtain IP addresses via DHCP regardless of clients' current network settings configuration. This is achieved with the help of Universal Client feature. All authentication and accounding is performed via RADIUS server.
Consider the network diagram below:
Notes
The topic of basic router configuration is not discussed in this example. Therefore the routers must have some initial settings configured, namely: the interfaces should be enabled, each interface should have an appropriate IP address, routing table should be set correctly (at least a default route required). NAT also should be already configured.
VRRP configuration
-
Configuring Master VRRP router
Create a VRRP instance on router: [admin@master] ip vrrp> add interface=local priority=255 [admin@master] ip vrrp> print Flags: X - disabled, I - invalid, M - master, B - backup 0 M name="vr1" interface=local vrid=1 priority=255 interval=1 preemption-mode=yes authentication=none password="" on-backup="" on-master="" The virtual IP address should be added to this VRRP instance: [admin@master] ip vrrp address> add address=10.0.0.1/24 virtual-router=vr1 [admin@master] ip vrrp address> print Flags: X - disabled, A - active # ADDRESS NETWORK BROADCAST VIRTUAL-ROUTER 0 A 10.0.0.1/24 10.0.0.0 10.0.0.255 vr1
-
Configuring Backup VRRP router:
Create VRRP instance with lower priority, so this router will back up the preferred one:
[admin@backup] ip vrrp> add interface=local [admin@backup] ip vrrp> print Flags: X - disabled, I - invalid, M - master, B - backup 0 B name="vr1" interface=local vrid=1 priority=100 interval=1 preemption-mode=yes authentication=none password="" on-backup=?? on-master=??
Add the same virtual address as was added to the master node:
[admin@backup] ip vrrp address> pri Flags: X - disabled, A - active # ADDRESS NETWORK BROADCAST VIRTUAL-ROUTER 0 10.0.0.1/24 10.0.0.0 10.0.0.255 vr1
HotSpot configuration
HotSpot configuration should be the same on both routers:
[admin@master] ip hotspot> setup Select interface to run HotSpot on hotspot interface: local Use SSL authentication? use ssl: no Add hotspot authentication for existing interface setup? interface already configured: yes Create local hotspot user name of local hotspot user: admin password for the user: test Use transparent web proxy for hotspot clients? use transparent web proxy: no [admin@master] ip hotspot>Notes
After HotSpot configuration, you should add vrrp protocol in firewall rule input for correct work in both routers:
[admin@master] ip firewall rule input> add action=accept \ \... protocol=112 place-before=1
IP pool configuration
Add the same in both routers:
[admin@master] ip pool> add name=hs-pool ranges=10.0.0.10-10.0.0.30 [admin@master] ip pool> print # NAME RANGES 0 hs-pool 10.0.0.10-10.0.0.30
DHCP server configuration
Add in both routers:
[admin@master] ip dhcp-server> add name=hs-dhcp-server interface=local \ \... address pool=hs-pool lease-time=30s add-arp=yes [admin@master] ip dhcp-server> print Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 hs-dhcp-server local hs-pool 30s yes [admin@master] ip dhcp-server network> add address=10.0.0.0/24 gateway=10.0.0.1 dns-server=159.148.60.2 domain=mt.lv [admin@master] ip dhcp-server network> print # ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN 0 10.0.0.0/24 10.0.0.1 159.148.60.2 mt.lvNotes
Recommended DHCP lease time should be in the range from 30s to 1m.
Universal Client configuration
Add in both routers:
[admin@master] ip hotspot universal> add interface=local address-pool=hs-pool \ \... addresses-per-mac=1 arp=all-arp use-dhcp=yes [admin@master] ip hotspot universal> print Flags: X - disabled, I - invalid # INTERFACE ADDRESS-POOL ADDRESSES-PER-MAC ARP USE-DHCP IDLE-TIMEOUT 0 local hs-pool 1 all-arp yes 5mNotes
You should add routers' ip addreses in hotspot access list on both routers:
[admin@master] ip hotspot universal access> add mac-address=00:0C:42:03:0F:6A \ \... address=10.0.0.3 to-address=10.0.0.3 [admin@master] ip hotspot universal access> print Flags: X - disabled # MAC-ADDRESS ADDRESS TO-ADDRESS INTERFACE 0 ;;; backup 00:0C:42:03:0F:6A 10.0.0.3 10.0.0.3 [admin@backup] ip hotspot universal access> add mac-address=00:0C:42:03:0F:68 \ \... address=10.0.0.2 to-address=10.0.0.2 [admin@backup] ip hotspot universal access> print Flags: X - disabled # MAC-ADDRESS ADDRESS TO-ADDRESS INTERFACE 0 ;;; master 00:0C:42:03:0F:68 10.0.0.2 10.0.0.2
RADIUS configuration
Add the same in both routers:
[admin@master] radius> add service=hotspot address=10.5.8.8 secret=ex [admin@master] radius> /ip hotspot aaa set use-radius=yes [admin@master] radius> print Flags: X - disabled # SERVICE CALLED-ID DOMAIN ADDRESS SECRET 0 hotspot 10.5.8.8 testz [admin@master] radius> /ip hotspot aaa [admin@master] ip hotspot aaa> print use-radius: yes accounting: yes interim-update: 0s
Scripts for DHCP server disabling/enabling
It's important to disable DHCP server , Hotspotot universal client and Firewall rules on backup router when master is working.
-
Script down disable all of this.
[admin@backup] system script> add name="down" source ={/ip \ \... dhcp-server disable [/ip dhcp-server find interface=local]; \ \... /ip hotspot universal disable [/ip hotspot universal find \ \... interface=local]; /ip firewall rule input disable [/ip \ \... firewall rule input find in-interface=local]; /ip firewall \ \... rule output disable [/ip firewall rule output find \ \... out-interface=local]}
-
Script up enable back:
[admin@backup] system script> add name="up" source={/ip \ \... dhcp-server enable [/ip dhcp-server find interface=local]; \ \... /ip hotspot universal enable [/ip hotspot universal find \ \... interface=local]; /ip firewall rule input enable [/ip \ \... firewall rule input find in-interface=local]; /ip firewall \ \... rule output enable [/ip firewall rule output find \ \... out-interface=local]}
-
[admin@backup] system script> print 0 name="down" source="/ip dhcp-server disable [/ip dhcp-server find interface=local]; /ip hotspot universal disable [/ip hotspot universal find interface=local]; /ip fire rule input disable [/ip fire rule input find in- interface=local]; /ip fire rule output disable [/ip fire rule output find out-interface=local]" owner="admin" policy=ftp,reboot,read,write,policy,test last-started=mar/18/2004 19:14:26 run-count=13 1 name="up" source="/ip dhcp-server enable [/ip dhcp-server find interface=local]; /ip hotspot universal enable [/ip hotspot universal find interface=local]; /ip fire rule inpu enable [/ip fire rule input find in-interface=local]; /ip fire rule output enable [/ip fire rule output find out- interface=local]"
-
Both scripts should be added in vrrp configuration:
[admin@backup] ip vrrp> set 0 on-backup=down on-master=up [admin@backup] ip vrrp> print Flags: X - disabled, I - invalid, M - master, B - backup 0 B name="vr1" interface=local vrid=1 priority=100 interval=1 preemption-mode=yes authentication=none password="" on-backup=down on-master=up
When master router is working, access with ssh to backup router is avaible only throught global interface . When Master changes status to Backup network can be disabled for 10 minutes in Windows systems, because Windows ARP table refreshing only after 10 minutes