...
| Примечание |
|---|
Чтобы system prompt корректно работал, необходимо обновить пользовательскую сессию. |
| Scroll Pagebreak |
|---|
Настройка Port-channel U/N
Port-channel U/N позволяет объединять каналы в группы агрегации для конкретного устройства в составе группы (unit), обеспечивая единообразие конфигурации кластера и возможность индивидуальной настройки агрегации на каждом юните.
Варианты настройки port-channel, включая доступные параметры и синтаксис команды, приведены в разделе Типы и порядок именования интерфейсов маршрутизатора.
Пример настройки
Задача:
Настроить port-channel U/N в кластере маршрутизаторов ESR-1 и ESR-2 для передачи Control Plane-трафика через агрегированный интерфейс.
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Создадим для каждого юнита собственный агрегированный интерфейс:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# interface port-channel 1/1
ESR-1(config-if-port-channel)# mode switchport
ESR-1(config-if-port-channel)# description Control-Plane
ESR-1(config-if-port-channel)# exit
ESR-1(config)# interface port-channel 2/1
ESR-1(config-if-port-channel)# mode switchport
ESR-1(config-if-port-channel)# description Control-Plane
ESR-1(config-if-port-channel)# exit |
Добавим каналы в агрегированные интерфейсы, которые отвечает за Control Plane кластера и применим конфигурацию:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# interface gigabitethernet 1/0/1
ESR-1(config-if-gi)# channel-group 1 mode auto
ESR-1(config-if-gi)# exit
ESR-1(config)# interface gigabitethernet 2/0/1
ESR-1(config-if-gi)# channel-group 1 mode auto
ESR-1(config-if-gi)# exit
ESR-1# commit
Configuration has been successfully applied and saved to flash. Commit timer started, changes will be.
ESR-1# confirm
Configuration has been confirmed. Commit timer canceled. |
Проверить состояние работы port-channel можно с помощью команды:
| Блок кода | ||
|---|---|---|
| ||
ESR-1# show interfaces status port-channel 1/1
Interface 'po1/1' status information:
Description: Control-Plane
Operational state: Up
Administrative state: Up
Track ID: --
Supports broadcast: Yes
Supports multicast: Yes
MTU: 1500
MAC address: a8:f9:4b:ad:07:f9
Last change (d,h:m:s):00,00:12:59
Mode: switchport
ESR-1# show interfaces status port-channel 2/1
Interface 'po2/1' status information:
Description: Control-Plane
Operational state: Up
Administrative state: Up
Track ID: --
Supports broadcast: Yes
Supports multicast: Yes
MTU: 1500
MAC address: a8:f9:4b:ac:e8:9d
Last change (d,h:m:s):00,00:12:59
Mode: switchport |
| Примечание |
|---|
Юнитизированный агрегированный интерфейс для Control Plane-трафика показан как пример. Можно использовать и для передачи Data Plane-трафика. |
Настройка MultiWAN
Технология MultiWAN позволяет организовать отказоустойчивое соединение с резервированием линков от нескольких провайдеров.
Алгоритм настройки MultiWAN описан в разделе Алгоритм настройки MultiWAN.
Пример настройки
Задача:
Настроить MultiWAN в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации MultiWAN
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2.3
security-zone WAN
ip address 128.66.0.6/30
vrrp 3
ip address 128.66.0.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/2.4
security-zone WAN
ip address 128.66.0.10/30
vrrp 4
ip address 128.66.0.14/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2.3
security-zone WAN
ip address 128.66.0.5/30
vrrp 3
ip address 128.66.0.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/2.4
security-zone WAN
ip address 128.66.0.9/30
vrrp 4
ip address 128.66.0.14/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
...
Алгоритм настройки Route-based IPsec VPN описан в разделе Алгоритм настройки Route-based IPsec VPN.
Задача:
- Настроить IPsec туннель. Туннель необходимо поднять между адресами: кластер – 203.0.113.2 (VIP адрес), ответная сторона – 203.0.113.6;
IKE:
- группа Диффи-Хэллмана: 2;
- алгоритм шифрования: AES 128 bit;
- алгоритм аутентификации: MD5.
IP sec:
- алгоритм шифрования: AES 128 bit;
- алгоритм аутентификации: MD5.
...
Схема реализации Route-based IPsec VPN
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone WAN
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.2/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.1/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
...
Алгоритм настройки Policy-based IPsec VPN описан в разделе Алгоритм настройки Policy-based IPsec VPN.
Задача:
- Настроить IPsec туннель. Туннель необходимо поднять между адресами: кластер – 203.0.113.2 (VIP адрес), ответная сторона – 203.0.113.6. Туннель необходим для организации доступа между клиентскими подсетями 192.0.2.0/24 и 128.66.1.0/24;
IKE:
- группа Диффи-Хэллмана: 2;
- алгоритм шифрования: AES 128 bit;
- алгоритм аутентификации: MD5.
IP sec:
- алгоритм шифрования: AES 128 bit;
- алгоритм аутентификации: MD5.
...
Схема реализации Policy-based IPsec VPN
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone WAN
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.2/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.1/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
...
Пример настройки firewall failover
Задача:
Настроить firewall failover в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации Firewall failover
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone WAN
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.6/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.2/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.5/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.1/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN WAN
rule 1
action permit
enable
exit
exit
ip route 0.0.0.0/0 203.0.113.1 |
...
Пример настройки нескольких экземпляров firewall failover, каждый – в своём VRF
Задача:
Настроить несколько экземпляров firewall failover в кластере маршрутизаторов ESR-1 и ESR-2, каждый в своем VRF, со следующими параметрами:
...
Схема реализации firewall failover в нескольких VRF
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
ip vrf PAIR_ONE
exit
ip vrf PAIR_TWO
exit
security zone SYNC
exit
security zone LAN_ONE
ip vrf forwarding PAIR_ONE
exit
security zone LAN_TWO
ip vrf forwarding PAIR_TWO
exit
security zone WAN_ONE
ip vrf forwarding PAIR_ONE
exit
security zone WAN_TWO
ip vrf forwarding PAIR_TWO
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.2
ip vrf forwarding PAIR_ONE
security-zone LAN_ONE
ip address 203.0.113.18/30
vrrp 4
ip address 192.0.2.1/24
priority 120
group 2
enable
exit
exit
interface gigabitethernet 1/0/2.3
ip vrf forwarding PAIR_TWO
security-zone LAN_TWO
ip address 203.0.113.22/30
vrrp 5
ip address 128.66.0.1/24
priority 110
group 3
enable
exit
exit
interface gigabitethernet 1/0/3.2
ip vrf forwarding PAIR_ONE
security-zone WAN_ONE
ip address 203.0.113.10/30
vrrp 2
ip address 203.0.113.2/30
group 2
enable
exit
exit
interface gigabitethernet 1/0/3.3
ip vrf forwarding PAIR_TWO
security-zone WAN_TWO
ip address 203.0.113.14/30
vrrp 3
ip address 203.0.113.6/30
group 3
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
exit
interface gigabitethernet 2/0/2.2
ip vrf forwarding PAIR_ONE
security-zone LAN_ONE
ip address 203.0.113.17/30
vrrp 4
ip address 192.0.2.1/24
priority 110
group 2
enable
exit
exit
interface gigabitethernet 2/0/2.3
ip vrf forwarding PAIR_TWO
security-zone LAN_TWO
ip address 203.0.113.21/30
vrrp 5
ip address 128.66.0.1/24
priority 120
group 3
enable
exit
exit
interface gigabitethernet 2/0/3.2
ip vrf forwarding PAIR_ONE
security-zone WAN_ONE
ip address 203.0.113.9/30
vrrp 2
ip address 203.0.113.2/30
group 2
enable
exit
exit
interface gigabitethernet 2/0/3.3
ip vrf forwarding PAIR_TWO
security-zone WAN_TWO
ip address 203.0.113.13/30
vrrp 3
ip address 203.0.113.6/30
group 3
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN_ONE WAN_ONE
rule 1
action permit
enable
exit
exit
security zone-pair LAN_TWO WAN_TWO
rule 1
action permit
enable
exit
exit |
...
Алгоритм настройки DHCP failover описан в разделе Алгоритм настройки DHCP failover.
Пример настройки
Задача:
Настроить DHCP failover в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации DHCP failover
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
security zone SYNC
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server
ip dhcp-server pool TRUSTED
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.100
default-router 192.0.2.1
exit |
...
Пример настройки нескольких экземпляров DHCP failover, каждый в своем VRF
Задача:
Настроить два экземпляра DHCP failover, каждый в своём VRF, в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации DHCP failover в нескольких VRF
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
ip vrf LAN_ONE
exit
ip vrf LAN_TWO
exit
security zone SYNC
exit
security zone LAN_ONE
ip vrf forwarding LAN_ONE
exit
security zone LAN_TWO
ip vrf forwarding LAN_TWO
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.2
ip vrf forwarding LAN_ONE
security-zone LAN_ONE
ip address 192.0.2.254/24
vrrp 4
ip address 192.0.2.1/24
priority 120
group 2
enable
exit
exit
interface gigabitethernet 1/0/2.3
ip vrf forwarding LAN_TWO
security-zone LAN_TWO
ip address 128.66.0.254/24
vrrp 5
ip address 128.66.0.1/24
priority 110
group 3
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
exit
interface gigabitethernet 2/0/2.2
ip vrf forwarding LAN_ONE
security-zone LAN_ONE
ip address 192.0.2.253/24
vrrp 4
ip address 192.0.2.1/24
priority 110
group 2
enable
exit
exit
interface gigabitethernet 2/0/2.3
ip vrf forwarding LAN_TWO
security-zone LAN_TWO
ip address 128.66.0.253/24
vrrp 5
ip address 128.66.0.1/24
priority 120
group 3
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
security zone-pair LAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server vrf LAN_ONE
ip dhcp-server pool LAN_ONE vrf LAN_ONE
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.253
default-router 192.0.2.1
exit
ip dhcp-server vrf LAN_TWO
ip dhcp-server pool LAN_TWO vrf LAN_TWO
network 128.66.0.0/24
address-range 128.66.0.10-128.66.0.253
default-router 128.66.0.1
exit |
...
Подробный алгоритм настройки SNMP описан в разделе Настройка SNMP-сервера и отправки SNMP TRAP.
Пример настройки
Схема реализации SNMP
Задача:
- обеспечить возможность мониторинга сети через management-интерфейс каждого устройства в кластере:
- обеспечить возможность мониторинга состояния сети и внесения изменений в конфигурацию устройства, выполняющего роль VRRP Master;
- устройство управления (MGMT) доступно по IP-адресу 192.0.2.10.
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone MGMT
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone MGMT
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone MGMT
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair MGMT self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
...
Алгоритм Source NAT описан в разделе Алгоритм настройки Source NAT.
Пример настройки
Задача:
- предоставить доступ в Интернет хостам, находящимся в локальной сети;
- клиентская подсеть: 192.0.2.0/24;
публичный IP-адрес – VIP-адрес на интерфейсе.
...
Схема реализации Source NAT
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.6/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.2/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.5/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.1/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN WAN
rule 1
action permit
enable
exit
exit |
...
Алгоритм настройки Destination NAT описан в разделе Алгоритм настройки DNAT.
Пример настройки
Задача:
- организовать публичный доступа к серверу, находящемуся в частной сети и не имеющему публичного сетевого адреса;
- сервер доступен по адресу: 192.0.2.10/24;
...
Схема реализации Destination NAT
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.6/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.2/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.5/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.1/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
...
Пример настройки eBGP с общим IP-адресом
Задача:
Настроить BGP-протокол в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации eBGP с общим IP-адресом
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
authentication key ascii-text encrypted 88B11079B51D
authentication algorithm md5
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone WAN
ip address 128.66.0.2/30
vrrp 3
ip address 203.0.113.1/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone WAN
ip address 128.66.0.1/30
vrrp 3
ip address 203.0.113.1/30
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol ah
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
...
Пример настройки eBGP с каждым участником кластера по индивидуальным IP-адресам
Задача:
Настроить BGP-протокол в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Пример настройки в кластере DMVPN Single Hub Dual Cloud схемы
Задача:
Организовать DMVPN между офисами компании, используя mGRE-туннели, NHRP (Next Hop Resolution Protocol), протокол динамической маршрутизации (BGP), IPsec. В данном примере будет HUB-маршрутизатор, который находится в кластере, и два филиала. HUB – это DMVPN-cервер (NHS), а филиалы – DMPVN-клиенты (NHC).
...