...
| Блок кода |
|---|
cluster
cluster-interface bridge 71
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
ip vrf PAIR_ONE
exit
ip vrf PAIR_TWO
exit
security zone SYNC
exit
security zone LAN_ONE
ip vrf forwarding PAIR_ONE
exit
security zone LAN_TWO
ip vrf forwarding PAIR_TWO
exit
security zone WAN_ONE
ip vrf forwarding PAIR_ONE
exit
security zone WAN_TWO
ip vrf forwarding PAIR_TWO
exit
bridge 1
vlan 1
security-zone SYNC
ip firewall disable
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.2
ip vrf forwarding PAIR_ONE
security-zone LAN_ONE
ip address 203.0.113.18/30
vrrp id 4
vrrp ip 192.0.2.1/24
vrrp priority 120
vrrp group 2
vrrp
exit
interface gigabitethernet 1/0/2.3
ip vrf forwarding PAIR_TWO
security-zone LAN_TWO
ip address 203.0.113.22/30
vrrp id 5
vrrp ip 128.66.0.1/24
vrrp priority 110
vrrp group 3
vrrp
exit
interface gigabitethernet 1/0/3.2
ip vrf forwarding PAIR_ONE
security-zone WAN_ONE
ip address 203.0.113.10/30
vrrp id 2
vrrp ip 203.0.113.2/30
vrrp group 2
vrrp
exit
interface gigabitethernet 1/0/3.3
ip vrf forwarding PAIR_TWO
security-zone WAN_TWO
ip address 203.0.113.14/30
vrrp id 3
vrrp ip 203.0.113.6/30
vrrp group 3
vrrp
exit
interface gigabitethernet 2/0/1
mode switchport
exit
interface gigabitethernet 2/0/2.2
ip vrf forwarding PAIR_ONE
security-zone LAN_ONE
ip address 203.0.113.17/30
vrrp id 4
vrrp ip 192.0.2.1/24
vrrp priority 110
vrrp group 2
vrrp
exit
interface gigabitethernet 2/0/2.3
ip vrf forwarding PAIR_TWO
security-zone LAN_TWO
ip address 203.0.113.21/30
vrrp id 5
vrrp ip 128.66.0.1/24
vrrp priority 120
vrrp group 3
vrrp
exit
interface gigabitethernet 2/0/3.2
ip vrf forwarding PAIR_ONE
security-zone WAN_ONE
ip address 203.0.113.9/30
vrrp id 2
vrrp ip 203.0.113.2/30
vrrp group 2
vrrp
exit
interface gigabitethernet 2/0/3.3
ip vrf forwarding PAIR_TWO
security-zone WAN_TWO
ip address 203.0.113.13/30
vrrp id 3
vrrp ip 203.0.113.6/30
vrrp group 3
vrrp
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN_ONE WAN_ONE
rule 1
action permit
enable
exit
exit
security zone-pair LAN_TWO WAN_TWO
rule 1
action permit
enable
exit
exit |
...
- в качестве default-router используется IP-адрес VRRP;
- в качестве dns-server используется IP-адрес VRRP;
- установить в качестве необходимого режима работы резервирования active-standby;
- клиентская подсеть: 192.0.2.0/24.
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
security zone SYNC
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.2/30
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.1/30
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server
ip dhcp-server pool TRUSTED
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.100
default-router 192.0.2.1
dns-server 192.0.2.1
exit |
Решение:
Сконфигурируем object-group для настройки failover-сервисов:
...
- в качестве default-router используется IP-адрес VRRP;в качестве dns-server используется IP-адрес VRRP;
- установить в качестве необходимого режима работы резервирования active-standby;
- настроить приоритеты у разных DHCP failover так, чтобы один из юнитов кластера был Master в одном VRF, а в другом был Backup;
- клиентская подсеть в первом VRF FRST_ACTIVE: 192.0.2.0/24;
- клиентская подсеть в втором VRF SEC_ACTIVE: 203: 128.66.0.113.0/24.

Схема реализации DHCP failover в нескольких VRF
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 71
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
ip vrf FRSTLAN_ACTIVEONE
exit
ip vrf SECLAN_ACTIVETWO
exit
security zone SYNC
exit
security zone FRSTLAN_ACTIVEONE
ip vrf forwarding FRSTLAN_ACTIVEONE
exit
security zone SECLAN_ACTIVETWO
ip vrf forwarding SECLAN_ACTIVETWO
exit
bridge 71
vlan 1
security-zone SYNC
ip firewall disable
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.102
ip vrf forwarding FRSTLAN_ACTIVEONE
security-zone FRSTLAN_ACTIVEONE
ip address 192.0.2.254/24
vrrp id 24
vrrp ip 192.0.2.1/24
vrrp priority 120
vrrp group 2
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 1/0/2.203
ip vrf forwarding SECLAN_ACTIVETWO
security-zone SECLAN_ACTIVETWO
ip address 203128.66.0.113.254/24
vrrp id 35
vrrp ip 203128.66.0.113.1/24
vrrp priority 110
vrrp group 3
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 12/0/31
mode switchport
exit
interface gigabitethernet 2/0/2.102
ip vrf forwarding FRSTLAN_ACTIVEONE
security-zone FRSTLAN_ACTIVEONE
ip address 192.0.2.253/24
vrrp id 24
vrrp ip 192.0.2.1/24
vrrp priority 110
vrrp group 2
vrrp
exit
interface authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
exit
interface gigabitethernet 2/0/2.20
ip vrf forwarding SEC_ACTIVEgigabitethernet 2/0/2.3
ip vrf forwarding LAN_TWO
security-zone SECLAN_ACTIVETWO
ip address 203128.66.0.113.253/24
vrrp id 35
vrrp ip 203128.66.0.113.1/24
vrrp priority 120
vrrp group 3
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
exit
security zone-pair SYNC self
rule 1
vrrp authentication algorithmaction md5permit
vrrp
exit
interface gigabitethernet 2/0/3match protocol icmp
mode switchportenable
exit
security zone-pair SYNC self exit
rule 12
action permit
match protocol vrrp
enable
exit
rule 23
action permit
match protocol ah
enable
exit
exit
security zone-pair FRSTLAN_ACTIVEONE self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol ah udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
security zone-pair SECLAN_ACTIVETWO self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol ah udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit |
Решение:
Выполним настройку DHCP-серверов. В качестве default-router и dns-server используется IP-адрес VRRP:
| Блок кода |
|---|
|
ESR-1(config)#
ip dhcp-server vrf FRSTLAN_ACTIVE
ESR-1(config)# ONE
ip dhcp-server pool FRSTLAN_ACTIVEONE vrf FRSTLAN_ACTIVE
ESR-1(config-dhcp-server)#ONE
network 192.0.2.0/24
ESR-1(config-dhcp-server)# address-range 192.0.2.10-192.0.2.253
ESR-1(config-dhcp-server)# default-router 192.0.2.1
ESR-1(config-dhcp-server)# dns-server 192.0.2.1
ESR-1(config-dhcp-server)# exit
ESR-1(config)# ip dhcp-server vrf SECLAN_ACTIVE
ESR-1(config)# TWO
ip dhcp-server pool SECLAN_ACTIVETWO vrf SECLAN_ACTIVE
ESR-1(config-dhcp-server)#TWO
network 203128.66.0.113.0/24
ESR-1(config-dhcp-server)# address-range 203.0.113.10-203.0.113.253
ESR-1(config-dhcp-server)# default-router 203.0.113.1
ESR-1(config-dhcp-server)# dns-server 203.0.113.1
ESR-1(config-dhcp-server)# exit |
Разрешим получение DHCP-запросов из клиентских подсетей:
...
...
.0/24
address-range 128.66.0.10-128.66.0.253
default-router 128.66.0.1
exit |
Решение:
Сконфигурируем object-group для настройки DHCP failover-сервисов:
| Блок кода |
|---|
|
ESR-1(config)# object-group network DST_FRSTLAN_ACTIVEONE
ESR-1(config-object-group-network)# ip address-range 192.0.2.253 unit 1
ESR-1(config-object-group-network)# ip address-range 192.0.2.254 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network DST_SECLAN_ACTIVETWO
ESR-1(config-object-group-network)# ip address-range 203128.66.0.113.253 unit 1
ESR-1(config-object-group-network)# ip address-range 203128.66.0.113.254 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network SRC_FRSTLAN_ACTIVEONE
ESR-1(config-object-group-network)# ip address-range 192.0.2.254 unit 1
ESR-1(config-object-group-network)# ip address-range 192.0.2.253 unit 2
ESR-1(config-object-group-network)# exit
ESR-1(config)# object-group network SRC_SECLAN_ACTIVETWO
ESR-1(config-object-group-network)# ip address-range 203128.66.0.113.254 unit 1
ESR-1(config-object-group-network)# ip address-range 203128.66.0.113.253 unit 2
ESR-1(config-object-group-network)# exit |
...
| Блок кода |
|---|
|
ESR-1(config)# ip failover vrf FRSTLAN_ACTIVEONE
ESR-1(config-failover)# local-address object-group SRC_FRSTLAN_ACTIVEONE
ESR-1(config-failover)# remote-address object-group DST_FRSTLAN_ACTIVEONE
ESR-1(config-failover)# vrrp-group 2
ESR-1(config-failover)# exit
ESR-1(config)# ip failover vrf SECLAN_ACTIVETWO
ESR-1(config-failover)# local-address object-group SRC_SECLAN_ACTIVETWO
ESR-1(config-failover)# remote-address object-group DST_SECLAN_ACTIVETWO
ESR-1(config-failover)# vrrp-group 3
ESR-1(config-failover)# exit |
...
| Блок кода |
|---|
|
ESR-1(config)# ip dhcp-server failover vrf FRSTLAN_ACTIVEONE
ESR-1(config-dhcp-server-failover)# mode active-standby
ESR-1(config-dhcp-server-failover)# enable
ESR-1(config-dhcp-server-failover)# exit
ESR-1(config)# ip dhcp-server failover vrf SECLAN_ACTIVETWO
ESR-1(config-dhcp-server-failover)# mode active-standby
ESR-1(config-dhcp-server-failover)# enable
ESR-1(config-dhcp-server-failover)# exit |
...
| Блок кода |
|---|
|
ESR-1(config)# object-group service SYNC
ESR-1(config-object-group-service)# port-range 873
ESR-1(config-object-group-service)# exit
ESR-1(config)# security zone-pair FRSTLAN_ACTIVEONE self
ESR-1(config-security-zone-pair)# rule 43
ESR-1(config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule)# match protocol tcp
ESR-1(config-security-zone-pair-rule)# match destination-port object-group SYNC
ESR-1(config-security-zone-pair-rule)# enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exit
ESR-1(config)# security zone-pair SECLAN_ACTIVETWO self
ESR-1(config-security-zone-pair)# rule 43
ESR-1(config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule)# match protocol tcp
ESR-1(config-security-zone-pair-rule)# match destination-port object-group SYNC
ESR-1(config-security-zone-pair-rule)# enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exit
ESR-1(config)# exi |
Посмотреть статус работы DHCP-failover можно с помощью команды, один из экземпляров должен быть в Role - Master, второй в Role - Backup:
| Блок кода |
|---|
|
ESR-1# show ip dhcp server failover vrf FRSTLAN_ACTIVEONE
VRF: FRSTLAN_ACTIVEONE
Mode: Active-Standby
Role: Master
State: Synchronized
Last synchronization: 2025-02-0518 09:3134:3244
ESR-1# show ip dhcp server failover vrf SECLAN_ACTIVETWO
VRF: SECLAN_ACTIVETWO
Mode: Active-Standby
Role: Backup
State: Synchronized
Last synchronization: 2025-02-0518 09:3134:3346 |
Также статусы работы DHCP-серверов можно посмотреть с помощью команды:
| Блок кода |
|---|
|
ESR-1# show high-availability state
DHCP server:
VRF: SECLAN_ACTIVETWO
Mode: Active-Standby
State: Successful synchronization
Last synchronization: 2025-02-0518 09:3234:2530
VRF: FRSTLAN_ACTIVEONE
Mode: Active-Standby
State: Successful synchronization
Last synchronization: 2025-02-0518 09:3234:2428
crypto-sync:
State: Disabled
Firewall sessions and NAT translations:
State: Disabled |
...
| Блок кода |
|---|
|
ESR-1# show ip dhcp binding vrf FRSTLAN_ACTIVEONE
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ --------------------
192.0.2.10 50:52:e5:02:0c:00 active 2025-02-0619 09:3334:0906
ESR-1# show ip dhcp binding vrf SECLAN_ACTIVETWO
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ --------------------
203128.66.0.113.10 50:526d:e5ae:02:0c0e:00 active 2025-02-0619 09:3334:1009 |
Настройка SNMP
Протокол SNMP (Simple Network Management Protocol) реализует модель «менеджер–агент» для централизованного управления сетевыми устройствами: агенты, установленные на устройствах, собирают данные, структурированные в MIB, а менеджер запрашивает информацию, мониторит состояние сети, контролирует производительность и вносит изменения в конфигурацию оборудования.
...