...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Создайте Создадим локальную зону безопасности и зону безопасности в сторону интернета:
| Блок кода |
|---|
|
ESR-1(config)# security zone TRUSTED
ESR-1(config-security-zone)# exit
ESR-1(config)# security zone ISP1_ISP2
ESR-1(config-security-zone)# exit |
Создайте Создадим список IP-адресов для проверки целостности соединения:
| Блок кода |
|---|
|
ESR-1(config)# wan load-balance target-list ISP1_ISP2
ESR-1(config-wan-target-list)# target 1
ESR-1(config-wan-target)# resp-time 1
ESR-1(config-wan-target)# ip address 8.8.8.8
ESR-1(config-wan-target)# enable
ESR-1(config-wan-target)# exit
ESR-1(config-wan-target-list)# exit |
Настройте Настроим интерфейсы в ISP 1, ISP 2 и зону TRUSTED:
| Блок кода |
|---|
|
ESR-1(config)# interface gigabitethernet 1/0/2
ESR-1(config-if-gi)# description "Network: TRUSTED"
ESR-1(config-if-gi)# security-zone TRUSTED
ESR-1(config-if-gi)# ip address 192.0.2.254/24
ESR-1(config-if-gi)# vrrp id 3
ESR-1(config-if-gi)# vrrp ip 192.0.2.1/24
ESR-1(config-if-gi)# vrrp group 1
ESR-1(config-if-gi)# vrrp
ESR-1(config-if-gi)# exit
ESR-1(config)# interface gigabitethernet 12/0/3.1112
ESR-1(config-subifif-gi)# description "Network: ISP1TRUSTED"
ESR-1(config-subifif-gi)# security-zone ISP1_ISP2TRUSTED
ESR-1(config-if-subifgi)# ip address 203192.0.1122.254253/24
ESR-1(config-if-subifgi)# vrrp id 1113
ESR-1(config-if-subifgi)# vrrp ip 203192.0.1122.21/24
ESR-1(config-if-subifgi)# vrrp group 1
ESR-1(config-if-subifgi)# vrrp
ESR-1(config-if-gi)# exit |
Настроим интерфейсы в зону ISP1:
| Блок кода |
|---|
|
subif)# wan load-balance nexthop 203.0.112.1
ESR-1(config-subif)# wan load-balance success-count 1
ESR-1(config-subif)# wan load-balance target-list ISP1_ISP2
ESR-1(config-subif)# wan load-balance enable
ESR-1(config-subif)# exit
ESR-1(config)# interface gigabitethernet 1/0/3.222111
ESR-1(config-subif)# description "Network: ISP2ISP1"
ESR-1(config-subif)# security-zone ISP1_ISP2
ESR-1(config-subif)# ip address 203.0.113112.254/24
ESR-1(config-subif)# vrrp id 222111
ESR-1(config-subif)# vrrp ip 203.0.113112.2/24
ESR-1(config-subif)# vrrp group 1
ESR-1(config-subif)# vrrp
ESR-1(config-subif)# wan load-balance nexthop 203.0.113112.1
ESR-1(config-subif)# wan load-balance success-count 1
ESR-1(config-subif)# wan load-balance target-list ISP1_ISP2
ESR-1(config-subif)# wan load-balance enable
ESR-1(config-subif)# exit
ESR-1(config)# interface gigabitethernet 2/0/3.111
ESR-1(config-subif)# description "Network: ISP1"
ESR-1(config-subif)# security-zone ISP1_ISP2
ESR-1(config-subif)# exit ip address 203.0.112.253/24
ESR-1(config-subif)# vrrp id 111
ESR-1(config-subif)# interfacevrrp gigabitethernet ip 203.0.112.2/0/224
ESR-1(config-if-gisubif)# descriptionvrrp "Network: TRUSTED"group 1
ESR-1(config-if-gisubif)# security-zone TRUSTEDvrrp
ESR-1(config-if-gisubif)# wan ipload-balance addressnexthop 192203.0.2112.253/241
ESR-1(config-if-gisubif)# vrrp id 3wan load-balance success-count 1
ESR-1(config-if-gisubif)# wan vrrp ip 192.0.2.1/24load-balance target-list ISP1_ISP2
ESR-1(config-if-gisubif)# vrrpwan groupload-balance 1enable
ESR-1(config-if-gisubif)# vrrp
exit |
Настроим интерфейсы в зону ISP1:
| Блок кода |
|---|
|
(config-if-gi)# exit
ESR-1(config)# interface gigabitethernet 21/0/3.111222
ESR-1(config-subif)# description "Network: ISP1ISP2"
ESR-1(config-subif)# security-zone ISP1_ISP2
ESR-1(config-subif)# ip address 203.0.112113.253254/24
ESR-1(config-subif)# vrrp id 111222
ESR-1(config-subif)# vrrp ip 203.0.112113.2/24
ESR-1(config-subif)# vrrp group 1
ESR-1(config-subif)# vrrp
ESR-1(config-subif)# wan load-balance nexthop 203.0.112113.1
ESR-1(config-subif)# wan load-balance success-count 1
ESR-1(config-subif)# wan load-balance target-list ISP1_ISP2
ESR-1(config-subif)# wan load-balance enable
ESR-1(config-subif)# exit
ESR-1(config)# interface gigabitethernet 2/0/3.222
ESR-1(config-subif)# description "Network: ISP2"
ESR-1(config-subif)# security-zone ISP1_ISP2
ESR-1(config-subif)# ip address 203.0.113.253/24
ESR-1(config-subif)# vrrp id 222
ESR-1(config-subif)# vrrp ip 203.0.113.2/24
ESR-1(config-subif)# vrrp group 1
ESR-1(config-subif)# vrrp
ESR-1(config-subif)# wan load-balance nexthop 203.0.113.1
ESR-1(config-subif)# wan load-balance success-count 1
ESR-1(config-subif)# wan load-balance target-list ISP1_ISP2
ESR-1(config-subif)# wan load-balance enable
ESR-1(config-subif)# exit |
Укажите Укажем статический маршрут и создайте создадим правило для балансировки трафика:
| Блок кода |
|---|
|
ESR-1(config)# ip route 0.0.0.0/0 wan load-balance rule 1 10
ESR-1(config)# wan load-balance rule 1
ESR-1(config-wan-rule)# outbound interface gigabitethernet 1/0/3.111 70
ESR-1(config-wan-rule)# outbound interface gigabitethernet 1/0/3.222 30
ESR-1(config-wan-rule)# outbound interface gigabitethernet 2/0/3.222 30
ESR-1(config-wan-rule)# outbound interface gigabitethernet 2/0/3.111 70
ESR-1(config-wan-rule)# enable
ESR-1(config-wan-rule)# exit |
Разрешите Разрешим работу протокола VRRP и протокола ICMP в зоне ISP1_ISP2 и TRUSTED:
...
| Блок кода |
|---|
|
ESR-1# show wan interfaces status
Interface Nexthop Status Uptime/Downtime
-------------------- ----------------------- -------- ------------------------------------------
gi1/0/3.111 203.0.112.1 Active 17 minute and 58 seconds
gi1/0/3.222 203.0.113.1 Active 17 minute and 58 seconds |
Настройка IPsec VPN
...
