История страницы

...

Блок кода

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cca2:9d00:a200:7110:83c0:7800
  exit
  unit 2
    mac-address cca2:9d00:a200:7110:82d0:3800
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
  enable
exit

interface gigabitethernet 1/0/1
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/2
  security-zone LANWAN
  ip address 128.66.0.26/30
  vrrp id 23
  vrrp ip 192203.0.113.2.1/2430
  vrrp group 1
  vrrp
exit
interface gigabitethernet 1/0/23
  security-zone WANLAN
  ip address 128.66.0.62/30
  vrrp id 32
  vrrp ip 203192.0.1132.21/3024
  vrrp group 1
  vrrp
exit
interface gigabitethernet 12/0/31
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/12
  security-zone LANWAN
  ip address 128.66.0.15/30
  vrrp id 23
  vrrp ip 192203.0.113.2.1/2430
  vrrp group 1
  vrrp
exit
interface gigabitethernet 2/0/23
  security-zone WANLAN
  ip address 128.66.0.51/30
  vrrp id 32
  vrrp ip 203192.0.1132.21/3024
  vrrp group 1
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair WAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair LAN WAN
  rule 1
    action permit
    enable
  exit
exit

...

организовать публичный доступа к серверу, находящемуся в частной сети и не имеющему публичного сетевого адреса;
сервер доступен по адресу: 192.0.2.1210/24;

Схема реализации Destination NAT

...

Блок кода

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cca2:9d00:a200:7110:83c0:7800
  exit
  unit 2
    mac-address cca2:9d00:a200:7110:82d0:3800
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
  enable
exit

interface gigabitethernet 1/0/1
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/2
  security-zone LANWAN
  ip address 128.66.0.26/30
  vrrp id 23
  vrrp ip 192203.0.113.2.1/2430
  vrrp group 1
  vrrp
exit
interface gigabitethernet 1/0/23
  security-zone WANLAN
  ip address 128.66.0.62/30
  vrrp id 32
  vrrp ip 203192.0.1132.21/3024
  vrrp group 1
  vrrp
exit
interface gigabitethernet 12/0/31
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/12
  security-zone LANWAN
  ip address 128.66.0.15/30
  vrrp id 23
  vrrp ip 192203.0.113.2.1/2430
  vrrp group 1
  vrrp
exit
interface gigabitethernet 2/0/23
  security-zone WANLAN
  ip address 128.66.0.51/30
  vrrp id 32
  vrrp ip 203192.0.1132.21/3024
  vrrp group 1
  vrrp
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit



security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair WAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit

...

Блок кода

title	ESR-1

ESR-1(config)# nat destination 
ESR-1(config-dnat)# pool DMZ
ESR-1(config-dnat-pool)# ip address 192.0.2.1210
ESR-1(config-dnat-pool)# exit

...

Блок кода

title	ESR-1

ESR-1# show ip nat translations 
Prot   Inside source           Inside destination      Outside source          Outside destination     Pkts         Bytes        
----   ---------------------   ---------------------   ---------------------   ---------------------   ----------   ----------   
tcp    203.0.113.1:41296       192.0.2.1210:22           203.0.113.1:41296       203.0.113.2:22          --           --

...

Блок кода

title	ESR-1

cluster
  cluster-interface bridge 1
  unit 1
    mac-address cca2:9d00:a200:7110:83c0:7800
  exit
  unit 2
    mac-address cca2:9d00:a200:7110:82d0:3800
  exit
  enable
exit

hostname ESR-1 unit 1
hostname ESR-2 unit 2

security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
  vrrp authentication algorithm md5
  vrrp
  enable
exit

interface gigabitethernet 1/0/1
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.254/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
exit
interface gigabitethernet 1/0/3
  security-zone WAN
  ip address 128.66.0.2/30
  vrrp id 4
  vrrp authentication algorithm md5ip 203.0.113.1/30
  vrrp group 1
  vrrp
exit
interface gigabitethernet 12/0/31
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.253/24
  vrrp id 2
  vrrp ip 192.0.2.1/24
  vrrp group 1
  vrrp authentication key ascii-text encrypted 88B11079B51D
exit
interface gigabitethernet 2/0/3
  security-zone WAN
  ip address 128.66.0.1/30
  vrrp authenticationid algorithm md54
  vrrp
exit
interface gigabitethernetip 2/0/3203.0.113.1/30
  modevrrp group switchport1
  spanning-tree disablevrrp
exit

security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
  rule 2
    action permit
    match protocol ah
    enable
  exit
exit

Решение:

Сконфигурируем необходимые сетевые интерфейсы:

Блок кода

ESR-1(config)# interface gigabitethernet 1/0/1
ESR-1(config-if-gi)# ip address 203.0.113.254/24
ESR-1(config-if-gi)# exit
ESR-1(config)# interface gigabitethernet 2/0/1
ESR-1(config-if-gi)# ip address 203.0.113.253/24
ESR-1(config-if-gi)# exit


security zone-pair WAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit

Решение:

Настроем Сконфигурируем зону безопасности WAN, настроем firewall для приема маршрутизатором BGP-трафика из зоны безопасности WAN, а также разрешим прохождение трафика из зоны LAN в зону WAN:

Блок кода

ESR-1(config)# object-group service og_bgp
ESR-1(config-object-group-service)# port-range 179
ESR-1(config-object-group-service)# exit
ESR-1(config)# security zone WAN
ESR-1(config-security-zone)# exit
ESR-1(config)# security zone-pair WAN self 
ESR-1(config-security-zone-pair)# rule 12
ESR-1(config-security-zone-pair-rule)# match actionprotocol permittcp
ESR-1(config-security-zone-pair-rule)# match protocol vrrp destination-port object-group og_bgp 
ESR-1(config-security-zone-pair-rule)# action enablepermit 
ESR-1(config-security-zone-pair-rule)# enable exit
ESR-1(config-security-zone-pair-rule)# rule 2exit
ESR-1(config-security-zone-pair-rule)# exit

Создадим route-map, который будет использоваться в дальнейшем при настройке разрешающих анонсов роутерам из другой AS. В route-map запретим анонсировать подсеть для cluster-interface:

Блок кода

ESR-1(config)# action permitroute-map bgp-out
ESR-1(config-security-zone-pair-route-map)# rule 1
ESR-1(config-route-map-rule)# match ip protocol ahaddress 198.51.100.0/24
ESR-1(config-securityroute-zone-pairmap-rule)# action enabledeny
ESR-1(config-securityroute-zone-pairmap-rule)# exit
ESR-1(config-securityroute-zone-pairmap)# rule 32
ESR-1(config-securityroute-zonemap-pair-rule)# action permit
ESR-1(config-securityroute-zone-pairmap-rule)# match protocol icmpexit
ESR-1(config-security-zone-pair-rule)#route-map)# exit

Создадим BGP процесс для AS 64500 и войдем в режим конфигурирования параметров процесса:

Блок кода
enable ESR-1(config-security-zone-pair-rule)# exit router bgp 64500

Сконфигурируем анонсирование подсетей, подключенных напрямую:

Блок кода

ESR-1(config-security-zone-pairbgp)# rule 4 address-family ipv4 unicast 
ESR-1(config-security-zone-pair-rulebgp-af)# matchredistribute protocolconnected tcp
ESR-1(config-security-zone-pair-rule)# match destination-port object-group og_bgp bgp-af)# exit

Создадим eBGP с вышестоящим роутером:

Блок кода


ESR-1(config-security-zone-pair-rulebgp)# action permit neighbor 203.0.113.2
ESR-1(config-security-zone-pair-rulebgp-neighbor)# enableremote-as 64501
ESR-1(config-security-zone-pair-rulebgp-neighbor)# update-source 203.0.113.1

И включим обмен IPv4-маршрутами:

Блок кода

exit
ESR-1(config-security-zone-pair)# exit
ESR-1(config-bgp-neighbor)# security zoneaddress-pairfamily LANipv4 WAN unicast
ESR-1(config-securitybgp-zoneneighbor-pairaf)# rule 1route-map bgp-out out
ESR-1(config-securitybgp-zoneneighbor-pair-ruleaf)# action permitenable
ESR-1(config-securitybgp-zoneneighbor-pair-ruleaf)# enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exitexit

Включим работу протоколаУкажем принадлежность интерфейсов к зоне безопасности:

Блок кода

ESR-1(config)# interface gigabitethernet 1/0/1
ESR-1(config-if-gi)# security-zone WAN -bgp-neighbor)# enable
ESR-1(config-ifbgp-gineighbor)# exit
ESR-1(config)# interface gigabitethernet 2/0/1
ESR-1(config-if-gi-bgp)# security-zone WAN enable
ESR-1(config-if-gibgp)# exit

Scroll Pagebreak

Применим конфигурацию на Active устройстве.

Информацию о BGP-пирах можно посмотреть командой show bgp neighborsНастроем vrrp адрес на интерфейсе, с которого в дальнейшем будем строить BGP соседство:

Блок кода

ESR-1(config)# interface gigabitethernet 1/0/1
ESR-1(config-if-gi)# vrrp id 4
ESR-1(config-if-gi)# vrrp ip1# show bgp neighbors 
BGP neighbor is 203.0.113.1/24
ESR-1(config-if-gi)# vrrp group 1
ESR-1(config-if-gi)# vrrp authentication key ascii-text encrypted 88B11079B51D
ESR-1(config-if-gi)# vrrp authentication algorithm md5
ESR-1(config-if-gi)# vrrp
ESR-1(config-if-gi)# exit
ESR-1(config)# interface gigabitethernet 2/0/1
ESR-1(config-if-gi)# vrrp id 4
ESR-1(config-if-gi)# vrrp ip
    BGP state:                          Established
    Type:                               Static neighbor
    Neighbor address:                   203.0.113.1/24
ESR-1(config-if-gi)# vrrp group 1
ESR-1(config-if-gi)# vrrp authentication key ascii-text encrypted 88B11079B51D
ESR-1(config-if-gi)# vrrp authentication algorithm md5
ESR-1(config-if-gi)# vrrp
ESR-1(config-if-gi)# exit

Создадим route-map, который будет использоваться в дальнейшем при настройке разрешающих анонсов роутерам из другой AS. В route-map запретим анонсировать подсеть для cluster-interface:

Блок кода

ESR-1(config)# route-map bgp-out
ESR-1(config-route-map)# rule 1
ESR-1(config-route-map-rule)# match ip address 198.51.100.0/24
ESR-1(config-route-map-rule)# action deny
ESR-1(config-route-map-rule)# exit
ESR-1(config-route-map)# rule 2
ESR-1(config-route-map-rule)# action permit
ESR-1(config-route-map-rule)# exit
ESR-1(config-route-map)# exit

Создадим BGP процесс для AS 64500 и войдем в режим конфигурирования параметров процесса:

Блок кода
ESR-1(config)# router bgp 64500

Сконфигурируем анонсирование подсетей, подключенных напрямую:

Блок кода
ESR-1(config-bgp)# address-family ipv4 unicast ESR-1(config-bgp-af)# redistribute connected ESR-1(config-bgp-af)# exit

Создадим eBGP с вышестоящим роутером:

Блок кода
ESR-1(config-bgp)# neighbor Neighbor AS: 64501 Neighbor ID: 203.0.113.2 ESR-1(config-bgp-neighbor)# remote-as 64501 ESR-1(config-bgp-neighbor)# update-source 203.0.113.1

И включим обмен IPv4-маршрутами:

Блок кода
ESR-1(config-bgp-neighbor)# address-family ipv4 unicast ESR-1(config-bgp-neighbor-af)# route-map bgp-out out ESR-1(config-bgp-neighbor-af)# enable ESR-1(config-bgp-neighbor-af)# exit

Включим работу протокола:

Блок кода
ESR-1(config-bgp-neighbor)# enable ESR-1(config-bgp-neighbor)# exit ESR-1(config-bgp)# enable ESR-1(config-bgp)# exit

Применим конфигурацию на Active устройстве.

Информацию о BGP-пирах можно посмотреть командой show bgp neighbors:

Блок кода

ESR-1# show bgp neighbors 
BGP neighbor is1
    Neighbor caps:                      refresh enhanced-refresh restart-aware AS4
    Session:                            external AS4
    Source address:                     203.0.113.2
    Weight:  BGP state:                          Established0
    TypeHold timer:                         124/180
    Keepalive timer:   Static neighbor                 27/60
    NeighborRR addressclient:                   203.0.113.2
    Neighbor AS       No
    Address family ipv4 unicast:       
      Send-label:                       64501No
      NeighborDefault ID:originate:                No
      Default information originate:    No
  8.8.8.8
    NeighborOutgoing capsroute-map:               bgp-out
      Preference: refresh enhanced-refresh restart-aware AS4
    Session:               170
      Remove private AS:     external AS4
    Source address:     No
      Next-hop self:         203.0.113.1
    Weight:       No
      Next-hop unchanged:               0No
    Hold timerUptime (d,h:m:s):                   00,00:03:13

Блок кода

ESR-2# show bgp neighbors 
BGP neighbor  111/180is 203.0.113.2
    KeepaliveBGP timerstate:                       23/60
   Active
 RR client:  Type:                        No
    Address family ipv4 unicast:Static neighbor
    Neighbor address: 
      Send-label:            203.0.113.1
    Neighbor AS:      No
      Default originate:           64501
    Connect No
delay:      Default information originate:    No
      Outgoing route-map:   2/5
    Last error:       bgp-out
      Preference:            Socket: Network is unreachable

Таблицу маршрутов протокола BGP можно просмотреть с помощью команды:

Блок кода

ESR-1# show bgp ipv4 unicast neighbor 203.0.113.1 advertise-routes 170
Status codes: u - unicast, b - Removebroadcast, privatem AS:- multicast, a - anycast
            No
  * - valid, > Next-hop self best
Origin codes: i - IGP, e - EGP, ? - incomplete

     Network      No
      Next-hop unchanged: Next Hop             No
Metric  LocPrf  Uptime (d,h:m:s):   Weight Path        
*> u 192.0.2.0/24     00,00:03:06

Блок кода

ESR-2# show bgp neighbors 
BGP neighbor is 203.0.113.2
    BGP state:     --      --          --     64500 Active?
*  u  Type:192.0.2.0/24         203.0.113.2          --       --      Static neighbor
   -- Neighbor address:   64500 ?
*>       u 128.66.0.0/30        203.0.113.2
    Neighbor AS:     --      --          --   64501
  64500 ?
*> Connect delay:u 203.0.113.0/30                      2/5
203.0.113.2    Last error:     --      --          --    Socket: Network is unreachable

Таблицу маршрутов протокола BGP можно просмотреть с помощью команды:

Блок кода

64500 ?
ESR-1# show bgp ipv4 unicast neighbor 203.0.113.1 routes 
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
              * - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete

     Network              Next Hop             Metric  LocPrf      Weight Path        
*> u 0.0.0.0/0            203.0.113.21          --      100         0      300064501 ?

Примечание
В случае выхода из строя Active устройства, BGP будет полностью переустанавливаться со Standby устройством.

...

Дерево страниц

Сравнение версий

Старая версия 101

Новая версия 102

Ключ

Решение:

Решение: