...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
interface gigabitethernet 1/0/2
security-zone LAN
ip address 192.0.2.254/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone LAN
ip address 192.0.2.253/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Решение:
Выполним настройку DHCP-сервера. В качестве default-router и dns-server используется IP-адрес VRRP:
...
| Блок кода |
|---|
|
ESR-1(config)# object-group network SYNC_SRC
ESR-1(config-object-group-network)# ip address-range 198.51.100.254 unit 1
ESR-1(config-object-group-network)# ip address-range 198.51.100.253 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network SYNC_DST
ESR-1(config-object-group-network)# ip address-range 198.51.100.253 unit 1
ESR-1(config-object-group-network)# ip address-range 198.51.100.254 unit 2
ESR-1(config-object-group-network)# exit |
Перейдем к выбору IP-адреса сетевого интерфейса, с которого будут отправляться сообщения при работе failover-сервисов, указав созданную object-group:
| Блок кода |
|---|
|
ESR-1(config)# ip failover
ESR-1(config-failover)# local-address object-group SYNC_SRC |
Настроим IP-адреса соседа при работе failover-сервисов, указав созданную object-group:
| Блок кода |
|---|
|
ESR-1(config-failover)# remote-address object-group SYNC_DST |
...
| Блок кода |
|---|
|
ESR-1# show ip dhcp binding
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ --------------------
192.0.2.10 02:00:00:69:91:12 active 2025-01-09 23:58:36
192.0.2.11 02:00:00:2a:a6:85 active 2025-01-09 23:58:39 |
Итоговая конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address 68:13:e2:7f:22:c0
exit
unit 2
mac-address 68:13:e2:7f:10:30
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
security zone SYNC
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
interface gigabitethernet 1/0/2
security-zone LAN
ip address 192.0.2.254/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone LAN
ip address 192.0.2.253/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server
ip dhcp-server pool TRUSTED
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.100
default-router 192.0.2.1
dns-server 192.0.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit |
...
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service og_bgp
port-range 179
exit
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
route-map bgp-out
rule 1
match ip address 198.51.100.0/24
action deny
exit
rule 2
action set as-path prepend 20 track 1
exit
exit
router bgp 2500 unit 1
neighbor 203.0.113.2
remote-as 3000
update-source 203.0.113.1
address-family ipv4 unicast
route-map bgp-out out
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
exit
enable
exit
router bgp 2500 unit 2
neighbor 203.0.113.6
remote-as 3500
update-source 203.0.113.5
address-family ipv4 unicast
route-map bgp-out out
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
exit
enable
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
interface gigabitethernet 1/0/1
security-zone WAN
ip address 203.0.113.1/30
exit
interface gigabitethernet 1/0/2
security-zone LAN
ip address 192.0.2.254/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/1
security-zone WAN
ip address 203.0.113.5/30
exit
interface gigabitethernet 2/0/2
security-zone LAN
ip address 192.0.2.253/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol tcp
match destination-port object-group og_bgp
enable
exit
exit
track 1
track vrrp id 1 state not master
enable
exit |
Приложение. Полная конфигурация ESR
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service ISAKMP
port-range 500
port-range 4500
exit
object-group service FAILOVER
port-range 9999
exit
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
object-group service SYNC_MGR
port-range 873
exit
object-group service SNMP
port-range 161
port-range 162
exit
object-group service SSH
port-range 22
exit
object-group service DNS_SERVER
port-range 53
exit
object-group service SERVER_DMZ
port-range 80
exit
object-group network SYNC_SRC
ip address-range 192.18.1.254 unit 1
ip address-range 192.18.1.253 unit 2
exit
object-group network SYNC_DST
ip address-range 192.18.1.253 unit 1
ip address-range 192.18.1.254 unit 2
exit
object-group network MGMT_SRC
ip address-range 192.18.7.254 unit 1
ip address-range 192.18.7.253 unit 2
exit
object-group network INTERNET_USERS
ip address-range 192.168.3.50-192.168.3.100
exit
object-group network EXTERNAL_VIPS
ip address-range 192.18.4.2
ip address-range 192.18.5.2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
syslog host MGMT
remote-address 192.18.2.75
severity info
source-address object-group MGMT_SRC
exit
netflow collector 192.18.2.75
exit
netflow enable
domain lookup enable
domain name-server 192.18.2.75
security zone SYNC
exit
security zone ISP1_ISP2
exit
security zone TRUSTED
exit
security zone IPsec_VPN
exit
security zone MGMT
exit
security zone DMZ
exit
wan load-balance target-list ISP1_ISP2
target 1
resp-time 1
ip address 8.8.8.8
enable
exit
exit
wan load-balance target-list MGMT
target 1
resp-time 1
ip address 192.18.2.75
enable
exit
exit
bridge 1
vlan 1
security-zone SYNC
ip address 192.18.1.254/24 unit 1
ip address 192.18.1.253/24 unit 2
vrrp id 1
vrrp ip 192.18.1.1/24
vrrp group 1
vrrp
enable
exit
interface gigabitethernet 1/0/1
description "Network: SYNC"
mode switchport
exit
interface gigabitethernet 1/0/2
description "Network: TRUSTED"
security-zone TRUSTED
ip netflow export
ip address 192.18.3.254/24
vrrp id 3
vrrp ip 192.18.3.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 1/0/2.7
description "Network: MGMT"
security-zone MGMT
ip address 192.18.7.254/24
vrrp id 7
vrrp ip 192.18.7.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 1/0/2.10
description "Network: DMZ"
security-zone DMZ
ip address 192.18.10.254/24
vrrp id 10
vrrp ip 192.18.10.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 1/0/3.111
description "Network: ISP1"
security-zone ISP1_ISP2
ip address 192.18.4.254/24
vrrp id 111
vrrp ip 192.18.4.2/24
vrrp group 1
vrrp
wan load-balance nexthop 192.18.4.1
wan load-balance success-count 1
wan load-balance target-list ISP1_ISP2
wan load-balance enable
exit
interface gigabitethernet 1/0/3.222
description "Network: ISP2"
security-zone ISP1_ISP2
ip address 192.18.5.254/24
vrrp id 222
vrrp ip 192.18.5.2/24
vrrp group 1
vrrp
wan load-balance nexthop 192.18.5.1
wan load-balance success-count 1
wan load-balance target-list ISP1_ISP2
wan load-balance enable
exit
interface gigabitethernet 2/0/1
description "Network: SYNC"
mode switchport
exit
interface gigabitethernet 2/0/2
description "Network: TRUSTED"
security-zone TRUSTED
ip netflow export
ip address 192.18.3.253/24
vrrp id 3
vrrp ip 192.18.3.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 2/0/2.7
description "Network: MGMT"
security-zone MGMT
ip address 192.18.7.253/24
vrrp id 7
vrrp ip 192.18.7.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 2/0/2.10
description "Network: DMZ"
security-zone DMZ
ip address 192.18.10.253/24
vrrp id 10
vrrp ip 192.18.10.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 2/0/3.111
description "Network: ISP1"
security-zone ISP1_ISP2
ip address 192.18.4.253/24
vrrp id 111
vrrp ip 192.18.4.2/24
vrrp group 1
vrrp
wan load-balance nexthop 192.18.4.1
wan load-balance success-count 1
wan load-balance target-list ISP1_ISP2
wan load-balance enable
exit
interface gigabitethernet 2/0/3.222
description "Network: ISP2"
security-zone ISP1_ISP2
ip address 192.18.5.253/24
vrrp id 222
vrrp ip 192.18.5.2/24
vrrp group 1
vrrp
wan load-balance nexthop 192.18.5.1
wan load-balance success-count 1
wan load-balance target-list ISP1_ISP2
wan load-balance enable
exit
tunnel vti 1
security-zone IPsec_VPN
local address 192.18.4.2
remote address 192.18.4.1
ip address 192.18.11.1/24
wan load-balance nexthop 192.18.11.2
wan load-balance success-count 1
wan load-balance target-list MGMT
wan load-balance enable
enable
exit
tunnel vti 2
security-zone IPsec_VPN
local address 192.18.5.2
remote address 192.18.5.1
ip address 192.18.12.1/24
wan load-balance nexthop 192.18.12.2
wan load-balance success-count 1
wan load-balance target-list MGMT
wan load-balance enable
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community MGMT client-list MGMT_SRC rw
snmp-server host 192.18.2.75
source-address object-group MGMT_SRC
exit
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
rule 4
action permit
match protocol tcp
match source-port object-group SYNC_MGR
enable
exit
rule 5
action permit
match protocol tcp
match destination-port object-group SYNC_MGR
enable
exit
exit
security zone-pair ISP1_ISP2 self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol esp
enable
exit
rule 4
action permit
match protocol udp
match source-port object-group ISAKMP
match destination-port object-group ISAKMP
enable
exit
exit
security zone-pair TRUSTED self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
rule 4
action permit
match protocol udp
match destination-port object-group DNS_SERVER
enable
exit
exit
security zone-pair IPsec_VPN self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair MGMT self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol tcp
match destination-port object-group SSH
enable
exit
rule 4
action permit
match protocol udp
match destination-port object-group SNMP
enable
exit
exit
security zone-pair MGMT IPsec_VPN
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match destination-port object-group SNMP
enable
exit
exit
security zone-pair IPsec_VPN MGMT
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol tcp
match destination-port object-group SSH
enable
exit
rule 3
action permit
match protocol udp
match destination-port object-group SNMP
enable
exit
exit
security zone-pair TRUSTED ISP1_ISP2
rule 1
action permit
match source-address object-group INTERNET_USERS
enable
exit
exit
security zone-pair ISP1_ISP2 DMZ
rule 1
action permit
match destination-nat
enable
exit
exit
security ike proposal IKE_PROP
authentication algorithm md5
encryption algorithm aes128
dh-group 2
exit
security ike policy IKE_POL
pre-shared-key hexadecimal encrypted CDE6504B9629
proposal IKE_PROP
exit
security ike gateway IKE_GW_1
version v2-only
ike-policy IKE_POL
mode route-based
mobike disable
bind-interface vti 1
exit
security ike gateway IKE_GW_2
version v2-only
ike-policy IKE_POL
mode route-based
mobike disable
bind-interface vti 2
exit
security ipsec proposal IPSEC_PROP
authentication algorithm md5
encryption algorithm aes128
exit
security ipsec policy IPSEC_POL
proposal IPSEC_PROP
exit
security ipsec vpn IPSEC_1
ike establish-tunnel route
ike gateway IKE_GW_1
ike ipsec-policy IPSEC_POL
enable
exit
security ipsec vpn IPSEC_2
ike establish-tunnel route
ike gateway IKE_GW_2
ike ipsec-policy IPSEC_POL
enable
exit
ip firewall failover
sync-type unicast
port 9999
enable
exit
nat destination
pool SERVER_DMZ
ip address 192.18.10.75
exit
ruleset DNAT_SERVER_DMZ
from zone ISP1_ISP2
rule 1
match protocol tcp
match destination-address object-group EXTERNAL_VIPS
match destination-port object-group SERVER_DMZ
action destination-nat pool SERVER_DMZ
enable
exit
rule 2
match protocol udp
match destination-address object-group EXTERNAL_VIPS
match destination-port object-group SERVER_DMZ
action destination-nat pool SERVER_DMZ
enable
exit
exit
exit
nat source
ruleset SNAT_ISP1_ISP2
to zone ISP1_ISP2
rule 1
match source-address object-group INTERNET_USERS
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool TRUSTED
network 192.18.3.0/24
address-range 192.18.3.50-192.18.3.100
default-router 192.18.3.1
dns-server 192.18.3.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
ip route 0.0.0.0/0 wan load-balance rule 1 10
ip route 192.168.2.0/24 wan load-balance rule 2 10
wan load-balance rule 1
outbound interface gigabitethernet 1/0/3.111 70
outbound interface gigabitethernet 1/0/3.222 30
outbound interface gigabitethernet 2/0/3.222 30
outbound interface gigabitethernet 2/0/3.111 70
enable
exit
wan load-balance rule 2
outbound tunnel vti 1 70
outbound tunnel vti 2 30
enable
exit
archive
path tftp://192.18.2.75:/esr-example/esr-example.cfg
time-period 1440
auto
type both
by-commit
count-backup 30
exit |