...
| Раскрыть |
|---|
| title | ESR VRRP MASTER/BACKUP |
|---|
|
| Без форматирования |
|---|
ip route 0.0.0.0/0 172.16.0.31
ip route 192.168.240.0/23 192.168.200.21 |
|
...
| Раскрыть |
|---|
|
| Без форматирования |
|---|
radius-server host 100.123.0.2
key ascii-text testing123
timeout 2
source-address 100.123.0.173
auth-port 31812
acct-port 31813
retransmit 3
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit |
|
| Раскрыть |
|---|
|
| Без форматирования |
|---|
radius-server host 100.123.0.2
key ascii-text testing123
timeout 2
source-address 100.123.0.175
auth-port 31812
acct-port 31813
retransmit 3
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit |
|
Настраиваем функционал wireless-controller:
...
Обратим внимание, что для всех зон безопасности в направлении self разрешается прохождение VRRP трафика.
Полная конфигурация ESR будет выглядеть так:
| Раскрыть |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
#1.11.4
hostname esr-master
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group network MGMT
ip prefix 192.168.200.16/28
ip prefix 10.255.252.0/23
exit
object-group network SoftWLC
ip address-range 100.123.0.2
exit
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 2
source-address 100.123.0.173
auth-port 31812
acct-port 31813
retransmit 3
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3,10-11,2300-2301,2308
exit
no spanning-tree
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone user
exit
bridge 1
vlan 2308
security-zone gre
ip address 192.168.200.19/28
vrrp id 1
vrrp ip 192.168.200.17/32
vrrp ip 192.168.200.18/32 secondary
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp
enable
exit
bridge 3
vlan 3
unknown-unicast-forwarding disable
security-zone trusted
ip address 10.255.252.2/23
ip helper-address 100.123.0.2
vrrp id 3
vrrp ip 10.255.252.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 4
vlan 2300
security-zone trusted
ip address 100.123.0.173/24
vrrp id 23
vrrp ip 100.123.0.175/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
enable
exit
bridge 5
vlan 2301
security-zone untrusted
ip address 172.16.0.2/28
vrrp id 5
vrrp ip 172.16.0.4/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
enable
exit
bridge 10
vlan 10
unknown-unicast-forwarding disable
security-zone user
ip firewall disable
ip address 198.18.148.2/22
vrrp id 10
vrrp ip 198.18.148.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
location data10
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 11
vlan 11
unknown-unicast-forwarding disable
security-zone user
ip firewall disable
ip address 198.18.152.2/22
ip helper-address 100.123.0.2
vrrp id 11
vrrp ip 198.18.152.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
location data11
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface port-channel 1
mode switchport
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,10-11,2300-2301,2308 tagged
exit
interface gigabitethernet 1/0/1
mode switchport
channel-group 1 mode auto
exit
interface gigabitethernet 1/0/2
mode switchport
channel-group 1 mode auto
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.17
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.18
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol icmp
enable
exit
rule 3
action permit
match protocol vrrp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address MGMT
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
match source-address MGMT
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted gre
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol vrrp
enable
exit
exit
ip dhcp-relay
ip route 0.0.0.0/0 172.16.0.1
ip route 192.168.240.0/23 192.168.200.21
wireless-controller
peer-address 100.123.0.175
nas-ip-address 100.123.0.173
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server |
|
| Раскрыть |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
#1.11.4
hostname esr-backup
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group network MGMT
ip prefix 192.168.200.16/28
ip prefix 10.255.252.0/23
exit
object-group network SoftWLC
ip address-range 100.123.0.2
exit
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 2
source-address 100.123.0.175
auth-port 31812
acct-port 31813
retransmit 3
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3,10-11,2300-2301,2308
exit
no spanning-tree
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone user
exit
bridge 1
vlan 2308
security-zone gre
ip address 192.168.200.20/28
vrrp id 1
vrrp ip 192.168.200.17/32
vrrp ip 192.168.200.18/32 secondary
vrrp priority 100
vrrp group 1
vrrp preempt disable
vrrp
enable
exit
bridge 3
vlan 3
unknown-unicast-forwarding disable
security-zone trusted
ip address 10.255.252.3/23
ip helper-address 100.123.0.2
vrrp id 3
vrrp ip 10.255.252.1/32
vrrp priority 100
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 4
vlan 2300
security-zone trusted
ip address 100.123.0.175/24
vrrp id 23
vrrp ip 100.123.0.174/32
vrrp priority 100
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
enable
exit
bridge 5
vlan 2301
security-zone untrusted
ip address 172.16.0.3/28
vrrp id 5
vrrp ip 172.16.0.4/32
vrrp priority 100
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
enable
exit
bridge 10
vlan 10
unknown-unicast-forwarding disable
security-zone user
ip firewall disable
ip address 198.18.148.3/22
vrrp id 10
vrrp ip 198.18.148.1/32
vrrp priority 100
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
location data10
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 11
vlan 11
unknown-unicast-forwarding disable
security-zone user
ip firewall disable
ip address 198.18.152.3/22
ip helper-address 100.123.0.2
vrrp id 11
vrrp ip 198.18.152.1/32
vrrp priority 100
vrrp group 1
vrrp preempt disable
vrrp
ip tcp adjust-mss 1400
location data11
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface port-channel 1
mode switchport
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,10-11,2300-2301,2308 tagged
exit
interface gigabitethernet 1/0/1
mode switchport
channel-group 1 mode auto
exit
interface gigabitethernet 1/0/2
mode switchport
channel-group 1 mode auto
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.17
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.18
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol icmp
enable
exit
rule 3
action permit
match protocol vrrp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address MGMT
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
match source-address MGMT
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted gre
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol vrrp
enable
exit
exit
ip dhcp-relay
ip route 192.168.240.0/23 192.168.200.21
ip route 0.0.0.0/0 172.16.0.1
wireless-controller
peer-address 100.123.0.173
nas-ip-address 100.123.0.175
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server |
|