...
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
ip vrf PAIR_ONE
exit
ip vrf PAIR_TWO
exit
security zone SYNC
exit
security zone LAN_ONE
ip vrf forwarding PAIR_ONE
exit
security zone LAN_TWO
ip vrf forwarding PAIR_TWO
exit
security zone WAN_ONE
ip vrf forwarding PAIR_ONE
exit
security zone WAN_TWO
ip vrf forwarding PAIR_TWO
exit
bridge 1
vlan 1
security-zone SYNC
ip firewall disable
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.2
ip vrf forwarding PAIR_ONE
security-zone LAN_ONE
ip address 203.0.113.18/30
vrrp id 4
vrrp ip 192.0.2.1/24
vrrp priority 120
vrrp group 2
vrrp
exit
interface gigabitethernet 1/0/2.3
ip vrf forwarding PAIR_TWO
security-zone LAN_TWO
ip address 203.0.113.22/30
vrrp id 5
vrrp ip 128.66.0.1/24
vrrp priority 110
vrrp group 3
vrrp
exit
interface gigabitethernet 1/0/3.2
ip vrf forwarding PAIR_ONE
security-zone WAN_ONE
ip address 203.0.113.10/30
vrrp id 2
vrrp ip 203.0.113.2/30
vrrp group 2
vrrp
exit
interface gigabitethernet 1/0/3.3
ip vrf forwarding PAIR_TWO
security-zone WAN_TWO
ip address 203.0.113.14/30
vrrp id 3
vrrp ip 203.0.113.6/30
vrrp group 3
vrrp
exit
interface gigabitethernet 2/0/1
mode switchport
exit
interface gigabitethernet 2/0/2.2
ip vrf forwarding PAIR_ONE
security-zone LAN_ONE
ip address 203.0.113.17/30
vrrp id 4
vrrp ip 192.0.2.1/24
vrrp priority 110
vrrp group 2
vrrp
exit
interface gigabitethernet 2/0/2.3
ip vrf forwarding PAIR_TWO
security-zone LAN_TWO
ip address 203.0.113.21/30
vrrp id 5
vrrp ip 128.66.0.1/24
vrrp priority 120
vrrp group 3
vrrp
exit
interface gigabitethernet 2/0/3.2
ip vrf forwarding PAIR_ONE
security-zone WAN_ONE
ip address 203.0.113.9/30
vrrp id 2
vrrp ip 203.0.113.2/30
vrrp group 2
vrrp
exit
interface gigabitethernet 2/0/3.3
ip vrf forwarding PAIR_TWO
security-zone WAN_TWO
ip address 203.0.113.13/30
vrrp id 3
vrrp ip 203.0.113.6/30
vrrp group 3
vrrp
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN_ONE WAN_ONE
rule 1
action permit
enable
exit
exit
security zone-pair LAN_TWO WAN_TWO
rule 1
action permit
enable
exit
exit |
...
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
ip vrf LAN_ONE
exit
ip vrf LAN_TWO
exit
security zone SYNC
exit
security zone LAN_ONE
ip vrf forwarding LAN_ONE
exit
security zone LAN_TWO
ip vrf forwarding LAN_TWO
exit
bridge 1
vlan 1
security-zone SYNC
ip firewall disable
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 8CB5107EA7005AFF
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.2
ip vrf forwarding LAN_ONE
security-zone LAN_ONE
ip address 192.0.2.254/24
vrrp id 4
vrrp ip 192.0.2.1/24
vrrp priority 120
vrrp group 2
vrrp
exit
interface gigabitethernet 1/0/2.3
ip vrf forwarding LAN_TWO
security-zone LAN_TWO
ip address 128.66.0.254/24
vrrp id 5
vrrp ip 128.66.0.1/24
vrrp priority 110
vrrp group 3
vrrp
exit
interface gigabitethernet 2/0/1
mode switchport
exit
interface gigabitethernet 2/0/2.2
ip vrf forwarding LAN_ONE
security-zone LAN_ONE
ip address 192.0.2.253/24
vrrp id 4
vrrp ip 192.0.2.1/24
vrrp priority 110
vrrp group 2
vrrp
exit
interface gigabitethernet 2/0/2.3
ip vrf forwarding LAN_TWO
security-zone LAN_TWO
ip address 128.66.0.253/24
vrrp id 5
vrrp ip 128.66.0.1/24
vrrp priority 120
vrrp group 3
vrrp
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
security zone-pair LAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server vrf LAN_ONE
ip dhcp-server pool LAN_ONE vrf LAN_ONE
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.253
default-router 192.0.2.1
exit
ip dhcp-server vrf LAN_TWO
ip dhcp-server pool LAN_TWO vrf LAN_TWO
network 128.66.0.0/24
address-range 128.66.0.10-128.66.0.253
default-router 128.66.0.1
exit |
...
- обеспечить возможность мониторинга сети через management-интерфейс каждого устройства в кластере:
- обеспечить возможность мониторинга состояния сети и внесения изменений в конфигурацию устройства, выполняющего роль VRRP Master;
- устройство управления (MGMT) доступно по IP-адресу 192.0.2.1210.
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address cca2:9d00:a200:7110:83c0:7800
exit
unit 2
mac-address cca2:9d00:a200:7110:82d0:3800
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone MGMT
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/31
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone MGMT
ip address 192.0.2.254/24
vrrp id 2
vrrp ip 192.0/3.2.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone MGMT
ip address 192.0.2.253/24
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Решение:
Сконфигурируем необходимые сетевые интерфейсы для подключения к устройству управления с указанием их принадлежности к зоне безопасности:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# security zone-pair MGMT ESR-1(config-security-zone)# exit ESR-1(config)# interface gigabitethernet 1/0/2 ESR-1(config-if-gi)# security-zone MGMT ESR-1(config-if-gi)# ip address 192.0.2.254/24 ESR-1(config-if-gi)# vrrp id 2 ESR-1(config-if-gi)# vrrp ip 192.0.2.1/24 ESR-1(config-if-gi)# vrrp group 1 ESR-1(config-if-gi)# vrrp authentication key ascii-text encrypted 88B11079B51D ESR-1(config-if-gi)# vrrp authentication algorithm md5 ESR-1(config-if-gi)# vrrp ESR-1(config-if-gi)# exit ESR-1(config)# interface gigabitethernet 2/0/2 ESR-1(config-if-gi)# security-zone MGMT ESR-1(config-if-gi)# ip address 192.0.2.253/24 ESR-1(config-if-gi)# vrrp id 2 ESR-1(config-if-gi)# vrrp ip 192.0.2.1/24 ESR-1(config-if-gi)# vrrp group 1 ESR-1(config-if-gi)# vrrp authentication key ascii-text encrypted 88B11079B51D ESR-1(config-if-gi)# vrrp authentication algorithm md5 ESR-1(config-if-gi)# vrrp ESR-1(config-if-gi)# exit self rule 1 action permit match protocol vrrp enable exit exit |
Решение:
Создадим профиль SNMP-портов, предоставляющий доступ в MGMT зону безопасности:
...
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# security zone-pair MGMT self ESR-1(config-security-zone-pair)# rule 1 ESR-1(config-security-zone-pair-rule)# action permit ESR-1(config-security-zone-pair-rule)# match protocol vrrp ESR-1(config-security-zone-pair-rule)# enable ESR-1(config-security-zone-pair-rule)# exit ESR-1(config-security-zone-pair)# rule 2 ESR-1(config-security-zone-pair-rule)# action permit ESR-1(config-security-zone-pair-rule)# match protocol ah ESR-1(config-security-zone-pair-rule)# enable ESR-1(config-security-zone-pair-rule)# exit ESR-1(config-security-zone-pair)# rule 3 ESR-1(config-security-zone-pair-rule)# action permit ESR-1(config-security-zone-pair-rule)# match protocol udp ESR-1(config-security-zone-pair-rule)# match destination-port object-group SNMP ESR-1(config-security-zone-pair-rule)# enable ESR-1(config-security-zone-pair-rule)# exit ESR-1(config-security-zone-pair)# exit |
...
Благодаря данной настройке обеспечивается возможность централизованного мониторинга и управления юнитами кластера как отдельными устройствами, так и устройством, выполняющим роль VRRP Master:
| Блок кода | ||
|---|---|---|
| ||
cluester@cluester-System:~$ snmpset -v2c -c publiccluster 192.0.2.253 .1.3.6.1.2.1.1.5.0 s 'ESR-1' SNMPv2-MIB::sysName.0 = STRING: ESR-1 cluester@cluester-System:~$ snmpset -v2c -c publiccluster 192.0.2.254 .1.3.6.1.2.1.1.5.0 s 'ESR-2' SNMPv2-MIB::sysName.0 = STRING: ESR-2 cluester@cluester-System:~$ snmpset -v2c -c publiccluster 192.0.2.1 .1.3.6.1.2.1.1.5.0 s 'VRRP-Master' SNMPv2-MIB::sysName.0 = STRING: VRRP-Master | ||
| Примечание | ||
| Для работы в кластере необходимо использовать режим active-standby. |
Настройка Source NAT
Source NAT (SNAT) представляет собой механизм, осуществляющий замену исходного IP-адреса в заголовках IP-пакетов, проходящих через сетевой шлюз. При передаче трафика из внутренней (локальной) сети в внешнюю (публичную) сеть исходный адрес заменяется на один из назначенных публичных IP-адресов шлюза. В ряде случаев осуществляется дополнительное преобразование исходного порта (NATP – Network Address and Port Translation), что обеспечивает корректное направление обратного трафика. При поступлении пакетов из публичной сети в локальную происходит обратная процедура – восстановление оригинальных значений IP-адреса и порта для обеспечения корректной маршрутизации внутри внутренней сети.
...