История страницы

...

в качестве default-router используется IP-адрес VRRP;
в качестве dns-server используется IP-адрес VRRP;
установить в качестве необходимого режима работы резервирования active-standby;
клиентская подсеть: 192.0.2.0/24.

Исходная конфигурация кластера:

Блок кода

title	ESR-1

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cc:9d:a2:71:83:78
  exit
  unit 2
    mac-address cc:9d:a2:71:82:38
  exit
  enable
exit
  
hostname ESR-1 unit 1
hostname ESR-2 unit 2
  
security zone SYNC
exit
security zone LAN
exit
  
bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
  
interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
  
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit

Решение:

Выполним Выполните настройку DHCP-сервера. В качестве default-router и dns-server используется IP-адрес VRRP:

Блок кода

title	ESR-1

ESR-1(config)# ip dhcp-server 
ESR-1(config)# ip dhcp-server pool TRUSTED
ESR-1(config-dhcp-server)# network 192.180.32.0/24
ESR-1(config-dhcp-server)# address-range 192.180.32.5010-192.180.32.100
ESR-1(config-dhcp-server)# default-router 192.180.32.1
ESR-1(config-dhcp-server)# dns-server 192.180.32.1
ESR-1(config-dhcp-server)# exit

Scroll Pagebreak

Разрешите Разрешим получение DHCP-адресов:

Блок кода

title	ESR-1

ESR-1(config)# object-group service DHCP_SERVER
ESR-1(config-object-group-service)# port-range 67
ESR-1(config-object-group-service)# exit
ESR-1(config)# object-group service DHCP_CLIENT
ESR-1(config-object-group-service)# port-range 68
ESR-1(config-object-group-service)# exit
ESR-1(config)# security zone-pair TRUSTEDLAN self 
ESR-1(config-security-zone-pair)# rule 31
ESR-1(config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule)# match protocol udp
ESR-1(config-security-zone-pair-rule)# match source-port object-group DHCP_CLIENT 
ESR-1(config-security-zone-pair-rule)# match destination-port object-group DHCP_SERVER 
ESR-1(config-security-zone-pair-rule)# enable 
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exit

Так как объект IP failover уже настроен на предыдущем шаге, перейдите к настройке резервирования DHCP-сервераСконфигурируем object-group для настройки failover-сервисов:

Блок кода

title	ESR-1

ESR-1(config)# ip dhcpobject-servergroup failovernetwork

Установите режим работы резервирования:

Блок кода

title	ESR-1

SYNC_SRC
ESR-1(config-dhcpobject-servergroup-failovernetwork)# modeip activeaddress-standby

Примечание
Для работы в кластере необходимо использовать режим active-standby.

Включите DHCP-failover:

Блок кода

title	ESR-1

range 198.51.100.254 unit 1
ESR-1(config-dhcpobject-servergroup-failovernetwork)# enable
ip address-range 198.51.100.253 unit 2
ESR-1(config-dhcpobject-servergroup-failovernetwork)# exit

Scroll Pagebreak

Создайте профиль для портов dhcp-server failover и установите разрешающие правила для работы сервиса:

Блок кода

title	ESR-1


ESR-1(config)# object-group servicenetwork SYNC_MGRDST
ESR-1(config-object-group-servicenetwork)# ip portaddress-range 873 198.51.100.253 unit 1
ESR-1(config-object-group-servicenetwork)# ip exit
ESR-1(config)# security zone-pair SYNC selfaddress-range 198.51.100.254 unit 2
ESR-1(config-securityobject-zonegroup-pairnetwork)# rule 4
ESR-1(exit

Перейдем к выбору IP-адреса сетевого интерфейса, с которого будут отправляться сообщения при работе failover-сервисов, указав созданную object-group:

Блок кода

title	ESR-1

config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule# match protocol tcp)# ip failover
ESR-1(config-security-zone-pair-rulefailover)# match sourcelocal-portaddress object-group SYNC_SRC

Настроим IP-адреса соседа при работе failover-сервисов, указав созданную object-group:

Блок кода

title	ESR-1

MGR
ESR-1(config-security-zone-pair-rulefailover)# remote-address object-group SYNC_DST

Укажем VRRP-группу, на основе которой определяется состояние (основной/резервный) маршрутизатора при работе failover-сервисов:

Блок кода

title	ESR-1

enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pairfailover)# rulevrrp-group 51
ESR-1(config-security-zone-pair-rulefailover)# action permit
exit

Перейдем к настройке резервирования DHCP-сервера:

Блок кода

title	ESR-1

ESR-1(config-security-zone-pair-rule)# ip matchdhcp-server protocolfailover tcp

Установим режим работы резервирования:

Блок кода

title	ESR-1

ESR-1(config-securitydhcp-zoneserver-pair-rulefailover)# matchmode destinationactive-standby

Примечание
Для работы в кластере необходимо использовать режим active-standby.

Включим DHCP-failover:

Блок кода

title	ESR-1

port object-group SYNC_MGR
ESR-1(config-security-zone-pair-rule)# enable
ESR-1(config-securitydhcp-zoneserver-pair-rulefailover)# exit enable
ESR-1(config-securitydhcp-zoneserver-pairfailover)# exit

Посмотреть состояние резервирования DHCP-сервера можно с помощью команды:

Блок кода

title	ESR-1, 2

ESR-1# show ip dhcp server failover 
VRF:                             --
    State: Successful

Посмотреть состояние резервирования сессий DHCP можно с помощью команды:

Блок кода

title	ESR-1, 2

ESR-1# show high-availability state 
DHCP option 82 table:Mode:                        Active-Standby
    Role:                        Master
    State:                       Synchronized
    Last synchronization:        2025-01-09 12:00:57

Посмотреть состояние резервирования сессий DHCP можно с помощью команды:

Блок кода

title	ESR-1

ESR-1# show high-availability state 
DHCP server:
VRF:                               --
    Mode:                          Active-Standby
    State:                         Successful synchronization
    Last synchronization:          2025-01-09 12:01:21
crypto-sync:
    State:                         Disabled
Firewall sessions and NAT translations:
    State:                         Disabled

Выданные адреса DHCP можно просмотреть с помощью команды:

Блок кода

title	ESR-1

ESR-1# show ip dhcp binding 
IP address         MAC / Client ID                                                 Binding type   Lease expires at       
----------------   -------------------------------------------------------------   ------------   --------------------   
192.0.2.10         02:00:00:69:91:12                                               active         2025-01-09 23:58:36    
192.0.2.11         02:00:00:2a:a6:85                                               active         2025-01-09 23:58:39

Итоговая конфигурация кластера:

Блок кода

cluster
  cluster-interface bridge 1
  unit 1
    mac-address 68:13:e2:7f:22:c0
  exit
  unit 2
    mac-address 68:13:e2:7f:10:30
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

object-group service DHCP_SERVER
  port-range 67
exit
object-group service DHCP_CLIENT
  port-range 68
exit

object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit

security zone SYNC
exit
security zone LAN
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit

interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface   Disabledgigabitethernet 2/0/2
  security-zone LAN
 Last stateip change: address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group --1
DHCP server:
VRF: vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address   --object-group SYNC_DST
  vrrp-group  State:     1
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule Successful2
 synchronization
Firewall sessions and NATaction translations:permit
    Trackingmatch VRRPprotocol Groupvrrp
    enable
    exit
  rule  13
    Tracking VRRP Group state:action permit
    match protocol Masterah
    State:enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    match protocol udp
    match  Successful synchronizationsource-port object-group DHCP_CLIENT
    Fault Reason:  match destination-port object-group DHCP_SERVER
    enable
  exit
exit

ip dhcp-server
ip dhcp-server pool TRUSTED
  network 192.0.2.0/24
  address-range --192.0.2.10-192.0.2.100
  default-router  Last synchronization:          16:33:14 10.01.2024

...

192.0.2.1
  dns-server 192.0.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

Настройка SNMP

Протокол SNMP позволяет системному администратору проводить мониторинг, контролировать производительность сети и изменять конфигурацию подключенных устройств.

...

Блок кода

title	ESR-1

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cc:9d:a2:71:83:78
  exit
  unit 2
    mac-address cc:9d:a2:71:82:38
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

security zone SYNC
exit
security zone LAN
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit

interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit

Решение:

Сконфигурируем необходимые сетевые интерфейсы:

...

Примечание
В случае выхода из строя Active устройства, BGP будет полностью переустанавливаться со Standby устройством.

Итоговая конфигурация кластера:

Блок кода

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cc:9d:a2:71:83:78
  exit
  unit 2
    mac-address cc:9d:a2:71:82:38
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

object-group service og_bgp
  port-range 179
exit

security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit

route-map bgp-out
  rule 1
    match ip address 198.51.100.0/24
    action deny
  exit
  rule 2
  exit
exit

router bgp 2500
  neighbor 203.0.113.2
    remote-as 3000
    update-source 203.0.113.1
    address-family ipv4 unicast
      route-map bgp-out out
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    redistribute connected
  exit
  enable
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit

interface gigabitethernet 1/0/1
  security-zone WAN
  ip address 203.0.113.254/24
  vrrp id 4
  vrrp ip 203.0.113.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/1
  security-zone WAN
  ip address 203.0.113.253/24
  vrrp id 4
  vrrp ip 203.0.113.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit
security zone-pair WAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
  rule 2
    action permit
    match protocol ah
    enable
  exit
  rule 3
    action permit
    match protocol icmp
    enable
  exit
  rule 4
    action permit
    match protocol tcp
    match destination-port object-group og_bgp
    enable
  exit
exit

...

Блок кода

title	ESR-1

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cc:9d:a2:71:83:78
  exit
  unit 2
    mac-address cc:9d:a2:71:82:38
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

security zone SYNC
exit
security zone LAN
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit

interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit

Решение:

Сконфигурируем необходимые сетевые интерфейсы:

...

Блок кода

ESR-2# show bgp ipv4 unicast neighbor 203.0.113.6 advertise-routes 
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
              * - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete

     Network              Next Hop             Metric  LocPrf      Weight Path        
*> u 192.0.2.0/24         203.0.113.5          --      --          --     2500 20 ?
*> u 203.0.113.4/30       203.0.113.5          --      --          --     2500 20 ?
ESR-2# show bgp ipv4 unicast neighbor 203.0.113.6 routes 
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
              * - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete

     Network              Next Hop             Metric  LocPrf      Weight Path        
*> u 0.0.0.0/0            203.0.113.6          --      100         0      3500 ?

Итоговая конфигурация кластера:

Блок кода

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cc:9d:a2:71:83:78
  exit
  unit 2
    mac-address cc:9d:a2:71:82:38
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

object-group service og_bgp
  port-range 179
exit

security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit

route-map bgp-out
  rule 1
    match ip address 198.51.100.0/24
    action deny
  exit
  rule 2
    action set as-path prepend 20 track 1
  exit
exit

router bgp 2500 unit 1
  neighbor 203.0.113.2
    remote-as 3000
    update-source 203.0.113.1
    address-family ipv4 unicast
      route-map bgp-out out
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    redistribute connected
  exit
  enable
exit
router bgp 2500 unit 2
  neighbor 203.0.113.6
    remote-as 3500
    update-source 203.0.113.5
    address-family ipv4 unicast
      route-map bgp-out out
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    redistribute connected
  exit
  enable
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit

interface gigabitethernet 1/0/1
  security-zone WAN
  ip address 203.0.113.1/30
exit
interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/1
  security-zone WAN
  ip address 203.0.113.5/30
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit
security zone-pair WAN self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol tcp
    match destination-port object-group og_bgp
    enable
  exit
exit

track 1
  track vrrp id 1 state not master
  enable
exit

...

Дерево страниц

Сравнение версий

Старая версия 30

Новая версия 31

Ключ

Исходная конфигурация кластера:

Решение:

Итоговая конфигурация кластера:

Решение:

Итоговая конфигурация кластера:

Решение:

Итоговая конфигурация кластера: