Сравнение версий

Старая версия 96

changes.mady.by.user Сервисный центр Ethernet

Сохранено

по сравнению с

Новая версия 97

changes.mady.by.user Сервисный центр Ethernet

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.
Комментарий: Оксененко С. Поправил пример для firewall failvoer в VRF

...

Исходная конфигурация кластера:
Блок кода
titleESR-1
cluster
  cluster-interface bridge 7
  unit 1
    mac-address a2:00:00:10:c0:00
  exit
  unit 2
    mac-address a2:00:00:10:d0:00
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

ip vrf FRSTPAIR_ACTIVEONE
exit
ip vrf SECPAIR_ACTIVETWO
exit

security zone SYNC
exit
security zone LAN_F_ACTIVEONE
  ip vrf forwarding FRSTPAIR_ACTIVEONE
exit
security zone LAN_S_ACTIVETWO
  ip vrf forwarding SECPAIR_ACTIVETWO
exit
security zone WAN_F_ACTIVEONE
  ip vrf forwarding FRSTPAIR_ACTIVEONE
exit
security zone WAN_S_ACTIVETWO
  ip vrf forwarding SECPAIR_ACTIVETWO
exit

bridge 71
  vlan 1
  security-zone SYNC
  ip firewall disable
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
  vrrp authentication algorithm md5
  vrrp
  enable
exit

interface gigabitethernet 1/0/1.10
  mode switchport
exit
interface gigabitethernet 1/0/2.2
  ip vrf forwarding FRSTPAIR_ACTIVEONE
  security-zone WANLAN_F_ACTIVEONE
  ip address 128203.660.0113.518/30
  vrrp id 24
  vrrp ip 128192.660.02.1/3024
  vrrp grouppriority 2120
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFFgroup 2
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/12.203
  ip vrf forwarding SECPAIR_ACTIVETWO
  security-zone WANLAN_S_ACTIVETWO
  ip address 128203.660.0113.922/30
  vrrp id 35
  vrrp ip 128.66.0.131/3024
  vrrp grouppriority 3110
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFFgroup 3
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/3.2.10
  ip vrf forwarding FRSTPAIR_ACTIVEONE
  security-zone LANWAN_F_ACTIVEONE
  ip address 128203.660.0113.1810/30
  vrrp id 42
  vrrp ip 192203.0.113.2.1/2430
  vrrp priority 120
  vrrp group 2
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 1/0/23.203
  ip vrf forwarding SECPAIR_ACTIVETWO
  security-zone LANWAN_S_ACTIVETWO
  ip address 128203.660.0113.2214/30
  vrrp id 53
  vrrp ip 203.0.113.16/2430
  vrrp priority 110
  vrrp group 3
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 12/0/31
  mode switchport
exit
interface gigabitethernet 2/0/12.102
  ip vrf forwarding FRSTPAIR_ACTIVEONE
  security-zone WANLAN_F_ACTIVEONE
  ip address 128203.660.0113.517/30
  vrrp id 24
  vrrp ip 128192.660.02.1/3024
  vrrp grouppriority 2110
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
  vrrp authentication algorithm md5group 2
  vrrp
exit
interface gigabitethernet 2/0/12.203
  ip vrf forwarding SECPAIR_ACTIVETWO
  security-zone WANLAN_S_ACTIVETWO
  ip address 128203.660.0113.921/30
  vrrp id 35
  vrrp ip 128.66.0.131/3024
  vrrp grouppriority 3120
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFFgroup 3
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3.2.10
  ip vrf forwarding FRSTPAIR_ACTIVEONE
  security-zone LANWAN_F_ACTIVEONE
  ip address 128203.660.0113.179/30
  vrrp id 42
  vrrp ip 192203.0.113.2.1/24
  vrrp priority 110/30
  vrrp group 2
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/23.203
  ip vrf forwarding SECPAIR_ACTIVETWO
  security-zone LANWAN_S_ACTIVETWO
  ip address 128203.660.0113.2113/30
  vrrp id 53
  vrrp ip 203.0.113.1/24
  vrrp priority 1206/30
  vrrp group 3
  vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
  vrrp authentication algorithm md5
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
exit

security zone
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol vrrpicmp
    enable
  exit
  rule 2
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN_F_ACTIVE self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
  rule 23
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN_S_ACTIVEONE self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair LAN_TWO self
  rule 21
    action permit
    match protocol ahvrrp
    enable
  exit
exit
security zone-pair WAN_F_ACTIVEONE self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
  rule 2
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair WAN_S_ACTIVETWO self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
  rule 2
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN_F_ACTIVEONE WAN_F_ACTIVEONE
  rule 1
    action permit
    enable
  exit
exit
security zone-pair LAN_S_ACTIVETWO WAN_S_ACTIVETWO
  rule 1
    action permit
    enable
  exit
exit

...

Блок кода
titleESR-1
ESR-1(config)# object-group network DST_FRSTPAIR_ACTIVEONE
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.17 unit 1
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.18 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network DST_SECPAIR_ACTIVETWO
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.21 unit 1
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.22 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network SRC_FRSTPAIR_ACTIVEONE
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.18 unit 1
ESR-1(config-object-group-network)# ip address-range 128.66203.0.113.17 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network SRC_SECPAIR_ACTIVETWO
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.22 unit 1
ESR-1(config-object-group-network)# ip address-range 128203.660.0113.21 unit 2
ESR-1(config-object-group-network)# exit

Перейдем к настойке ip failover для каждого VRF, настроим там local-address/remote-address и укажем привязки к соответствующим VRRP-group, на основе которых будет определяться, кто из маршрутизаторов будет синхронизировать сессии:

Блок кода
titleESR-1
ESR-1(config)# ip failover vrf FRSTPAIR_ACTIVEONE
ESR-1(config-failover)# local-address object-group SRC_FRSTPAIR_ACTIVEONE
ESR-1(config-failover)# remote-address object-group DST_FRSTPAIR_ACTIVEONE
ESR-1(config-failover)# vrrp-group 2
ESR-1(config-failover)# exit
ESR-1(config)# ip failover vrf SECPAIR_ACTIVETWO
ESR-1(config-failover)# local-address object-group SRC_SECPAIR_ACTIVETWO
ESR-1(config-failover)# remote-address object-group DST_SECPAIR_ACTIVETWO
ESR-1(config-failover)# vrrp-group 3
ESR-1(config-failover)# exit

...

Блок кода
titleESR-1
ESR-1(config)# ip firewall failover vrf FRSTPAIR_ACTIVEONE
ESR-1(config-firewall-failover)# sync-type unicast
ESR-1(config-firewall-failover)# port 9999
ESR-1(config-firewall-failover)# enable
ESR-1(config-firewall-failover)# exit
ESR-1(config)# ip firewall failover vrf SECPAIR_ACTIVETWO
ESR-1(config-firewall-failover)# sync-type unicast
ESR-1(config-firewall-failover)# port 9999
ESR-1(config-firewall-failover)# enable
ESR-1(config-firewall-failover)# exit

...

Блок кода
titleESR-1
ESR-1(config)# object-group service FAILOVER
ESR-1(config-object-group-service)# port-range 9999
ESR-1(config-object-group-service)# exit
ESR-1(config)# security zone-pair LAN_F_ACTIVEONE self
ESR-1(config-security-zone-pair)# rule 3
ESR-1(config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule)# match protocol udp
ESR-1(config-security-zone-pair-rule)# match destination-port object-group FAILOVER
ESR-1(config-security-zone-pair-rule)# enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exit
ESR-1(config)# security zone-pair LAN_S_ACTIVETWO self
ESR-1(config-security-zone-pair)# rule 3
ESR-1(config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule)# match protocol udp
ESR-1(config-security-zone-pair-rule)# match destination-port object-group FAILOVER
ESR-1(config-security-zone-pair-rule)# enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exit

...

Блок кода
titleESR-1
ESR-1# show vrrp vrf FRSTPAIR_ACTIVEONE 

   Unit 1* 'ESR-1'
   ---------------
Virtual router   Virtual IP                          Priority   Preemption   State    Inherit   Sync group ID   
--------------   ---------------------------------   --------   ----------   ------   -------   -------------   
2                128203.660.0113.12/30                       100        Enabled      Master   --        2               
4                192.0.2.1/24                        120        Enabled      Master   --        2               


   Unit 2 'ESR-2'
   --------------
Virtual router   Virtual IP                          Priority   Preemption   State    Inherit   Sync group ID   
--------------   ---------------------------------   --------   ----------   ------   -------   -------------   
2                128203.660.0113.12/30                       100        Enabled      Backup   --        2               
4                192.0.2.1/24                        110        Enabled      Backup   --        2               

ESR-1# show vrrp vrf SECPAIR_ACTIVE TWO

   Unit 1* 'ESR-1'
   ---------------
Virtual router   Virtual IP                          Priority   Preemption   State    Inherit   Sync group ID   
--------------   ---------------------------------   --------   ----------   ------   -------   -------------   
3                128203.660.0113.136/30                      100        Enabled      Backup   --        3               
5                203128.66.0.113.1/24                       110        Enabled      Backup   --        3               


   Unit 2 'ESR-2'
   --------------
Virtual router   Virtual IP                          Priority   Preemption   State    Inherit   Sync group ID   
--------------   ---------------------------------   --------   ----------   ------   -------   -------------   
3                128203.660.0113.136/30                      100        Enabled      Master   --        3               
5                203128.66.0.113.1/24                       120        Enabled      Master   --        3

Посмотреть информацию о сервисе firewall failover в каждом VRF можно с помощью следующей команды:

Блок кода
titleESR-1
ESR-1# show ip firewall failover vrf FRSTPAIR_ACTIVEONE 
Communication interface:                    gigabitethernet 1/0/2.102
Status:                                     Running
Bytes sent:                                 146607420
Bytes received:                             139127200
Packets sent:                               922465
Packets received:                           909460
Send errors:                                0
Receive errors:                             0
Resend queue: 
    Active entries:                         01
    Errors: 
        No space left:                      0
Hold queue: 
    Active entries:                         0
    Errors: 
        No space left:                      0
ESR-1# show ip firewall failover vrf SECPAIR_ACTIVETWO 
Communication interface:                    gigabitethernet 1/0/2.203
Status:                                     Running
Bytes sent:                                 142727320
Bytes received:                             143567380
Packets sent:                               926468
Packets received:                           912464
Send errors:                                0
Receive errors:                             0
Resend queue: 
    Active entries:                         1
    Errors: 
        No space left:                      0
Hold queue: 
    Active entries:                         0
    Errors: 
        No space left:                      0

...

Блок кода
titleESR-1
ESR-1# show high-availability state 
DHCP server:
    State:                         Disabled
    Last state change:             --
crypto-sync:
    State:                         Disabled
Firewall sessions and NAT translations:
VRF:                               FRSTPAIR_ACTIVEONE
    State:                         Successful synchronization
    Fault Reason:                  --
    Last synchronization:          2025-02-18 08:51:34
VRF:                               PAIR_TWO
    State:                         Successful synchronization
    Fault Reason:                  --
    Last synchronization:          2025-02-18 08:51:34

Сгенерируем по одной клиентской сессии из каждого LAN пула.

Посмотреть вывод текущих сессий на устройстве можно с помощью команды show ip firewall sessions, убедимся что в выводе есть сессия только для того VRF, в котором устройство является в статусе Master:

Блок кода
titleESR-1
ESR-1# show ip firewall sessions vrf PAIR_ONE protocol tcp 
 Codes: E - expected, U - unreplied,
        A - assured, C - confirmed

Prot    Aging        Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        Status   
-----   ----------   ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   ------   
tcp     110          192.0.2.10:47406        203.0.113.1:22          192.0.2.10:47406        203.0.113.1:22          --           --           AC       
ESR-1# show ip firewall sessions vrf PAIR_TWO protocol tcp
Блок кода
titleESR-2
ESR-2# show ip firewall sessions vrf PAIR_ONE protocol tcp
ESR-2# show ip firewall sessions vrf PAIR_TWO protocol tcp 
 Codes: E - expected, U - unreplied,
        A - assured, C - confirmed

Prot    Aging        Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        Status   
-----   ----------   ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   ------   
tcp     113          128.66.0.10:59108       203.0.113.5:22          128.66.0.10:59108       203.0.113.5:22          --           --           AC

Посмотреть вывод активный синхронизируемых сессий, используемых для работы firewal failover, на устройстве можно с помощью команды show ip firewall session failover external/internal, убедимся что для одного из VRF сессия находится в internal cash, а для второго VRF сессия находится в external cash:

Блок кода
titleESR-1
ESR-1# show ip firewall sessions failover external vrf PAIR_ONE 
ESR-1# show ip firewall sessions failover internal vrf PAIR_ONE 
 Codes: E - expected, U - unreplied,
        A - assured, C - confirmed

Prot    Aging        Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        Status   
-----   ----------        2025-02-06 09:08:30
VRF:                 ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   ------   
tcp     0         SEC_ACTIVE
    State:192.0.2.10:47406        203.0.113.1:22          203.0.113.1:22       Successful synchronization
  192.0.2.10:47406  Fault Reason:     --             --
     Last synchronization:     AC     2025-02-06 09:08:30

Сгенерируем по одной клиентской сессии из каждого LAN пула.

Посмотреть вывод текущих сессий на устройстве можно с помощью команды show ip firewall sessions, убедимся что в выводе есть сессия только для того VRF, в котором устройство является в статусе Master:

Блок кода
titleESR-1
ESR-  
ESR-1# show ip firewall sessions failover external vrf FRST_ACTIVE protocol tcpPAIR_TWO 
 Codes: E - expected, U - unreplied,
        A - assured, C - confirmed

Prot    Aging        Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        Status   
-----   ----------   ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   ------   
tcptcp     0  110          192128.66.0.2.10:4010659108        128203.660.0113.25:22           192203.0.2113.105:4010622          128.66.0.210:2259108           --           --           AC       
ESR-1# show ip firewall sessions failover internal vrf SECPAIR_ACTIVE protocol tcp

...

TWO
Блок кода
titleESR-12
ESR-1#2# show ip firewall sessions failover external vrf FRST_ACTIVE 
ESR-1# show ip firewall sessions failover internal vrf FRST_ACTIVEPAIR_ONE 
 Codes: E - expected, U - unreplied,
        A - assured, C - confirmed

Prot    Aging        Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        Status   
-----   ----------   ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   ------   
tcp     0            192.0.2.10:4010647406        128203.660.0113.21:22           128203.660.0113.21:22           192.0.2.10:4010647406        --           --           AC       
ESR-2# show ip firewall sessions failover internal vrf PAIR_ONE 
ESR-1#2# show ip firewall sessions failover external vrf PAIR_TWO 
ESR-2# show ip firewall sessions failover internal vrf SECPAIR_ACTIVETWO 
 Codes: E - expected, U - unreplied,
        A - assured, C - confirmed

Prot    Aging        Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        Status   
-----   ----------   ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   ------   
tcp     0            203128.66.0.113.10:3601259108       128203.660.0113.145:22          128203.660.0113.145:22          203128.66.0.113.10:3601259108       --           --           AC       
ESR-1# show ip firewall sessions failover internal vrf SEC_ACTIVE

Настройка DHCP failover

DHCP-failover позволяет обеспечить высокую доступность службы DHCP.

...