...
| Блок кода | ||
|---|---|---|
| ||
ESR-2# show ip firewall sessions failover external vrf PAIR_ONE
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 0 192.0.2.10:47406 203.0.113.1:22 203.0.113.1:22 192.0.2.10:47406 -- -- AC
ESR-2# show ip firewall sessions failover internal vrf PAIR_ONE
ESR-2# show ip firewall sessions failover external vrf PAIR_TWO
ESR-2# show ip firewall sessions failover internal vrf PAIR_TWO
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 0 128.66.0.10:59108 203.0.113.5:22 203.0.113.5:22 128.66.0.10:59108 -- -- AC |
Пример настройки firewall failover для кластера из 3-х юнитов
Задача:
Настроить firewall failover в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
- режим резервирования сессий unicast;
- номер UDP-порта службы резервирования 9999;
- клиентская подсеть: 192.0.2.0/24.
Схема реализации Firewall failover для кластера из 3-х юнитов
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address cc:9d:a2:71:83:78
exit
unit 2
mac-address cc:9d:a2:71:82:38
exit
unit 3
mac-address 68:13:e2:e2:05:28
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
hostname ESR-3 unit 3
security zone SYNC
exit
security zone WAN
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
ip address 198.51.100.252/24 unit 3
vrrp 1
ip address 198.51.100.1/24
priority 113 unit 1
priority 112 unit 2
priority 111 unit 3
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.12/29
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.4/29
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.13/29
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.5/29
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 3/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 3/0/2
security-zone WAN
ip address 128.66.0.14/29
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 3/0/3
security-zone LAN
ip address 128.66.0.6/29
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN WAN
rule 1
action permit
enable
exit
exit
ip route 0.0.0.0/0 203.0.113.1 |
Решение:
Сконфигурируем object-group для настройки failover-сервисов:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# object-group network SYNC_SRC
ESR-1(config-object-group-network)# ip address-range 198.51.100.254 unit 1
ESR-1(config-object-group-network)# ip address-range 198.51.100.253 unit 2
ESR-1(config-object-group-network)# ip address-range 198.51.100.252 unit 3
ESR-1(config-object-group-network)# exit |
Перейдем к настройке общих параметров для failover-сервисов, а именно к выбору: IP-адреса с которого будут отправляться сообщения для синхронизации, multicast группу и multicast IP-адрес на который будут отправляться сообщения для синхронизации и VRRP-группу, на основе которой определяется состояние (основной/резервный) маршрутизатора при работе failover-сервисов:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# ip failover
ESR-1(config-failover)# local-address object-group SYNC_SRC
ESR-1(config-failover)# multicast-address 224.0.0.1
ESR-1(config-failover)# multicast-group 2000
ESR-1(config-failover)# vrrp-group 1
ESR-1(config-failover)# exit |
| Примечание |
|---|
При включенном кластере использование object-group в настройке failover-сервисов для local-/remote-адресов обязательно. |
Для настройки правил зон безопасности создадим профиль для порта firewall failover:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# object-group service FAILOVER
ESR-1(config-object-group-service)# port-range 2000
ESR-1(config-object-group-service)# exit |
| Scroll Pagebreak |
|---|
Создадим разрешающие правило для зоны безопасности SYNC, разрешив прохождение необходимого трафика для работы firewall failover:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# security zone-pair SYNC self
ESR-1(config-security-zone-pair)# rule 4
ESR-1(config-security-zone-pair-rule)# action permit
ESR-1(config-security-zone-pair-rule)# match protocol udp
ESR-1(config-security-zone-pair-rule)# match destination-port object-group FAILOVER
ESR-1(config-security-zone-pair-rule)# enable
ESR-1(config-security-zone-pair-rule)# exit
ESR-1(config-security-zone-pair)# exit |
Выполним настройку firewall failover. Настроим режим резервирования сессий multicast и включим firewall failover:
| Блок кода | ||
|---|---|---|
| ||
ESR-1(config)# ip firewall failover
ESR-1(config-firewall-failover)# sync-type multicast
ESR-1(config-firewall-failover)# enable
ESR-1(config-firewall-failover)# exit |
После успешного запуска firewall failover можно посмотреть информацию о сервисе с помощью команды:
| Блок кода | ||
|---|---|---|
| ||
ESR-1# show ip firewall failover
Communication interface: bridge 1
Status: Running
Bytes sent: 8160
Bytes received: 15520
Packets sent: 1002
Packets received: 1938
Send errors: 0
Receive errors: 0 |
| Scroll Pagebreak |
|---|
Также возможно узнать текущее состояние firewall failover сервиса, выполнив команду:
| Блок кода | ||
|---|---|---|
| ||
ESR-1# show high-availability state
AP Tunnels:
State: Disabled
Last state change: --
DHCP option 82 table:
State: Disabled
Last state change: --
DHCP server:
State: Disabled
Last state change: --
crypto-sync:
State: Disabled
Firewall sessions and NAT translations:
VRF: --
Tracking VRRP Group 1
Tracking VRRP Group state: Master
State: Successful synchronization
Fault Reason: --
Last synchronization: 2025-10-02 16:53:30 |
Сгенерируем одну клиентскую сессии из LAN в WAN.
Посмотреть firewall-сессии, которые синхронизируются между устройствами, можно командами:
| Блок кода | ||
|---|---|---|
| ||
ESR-1# show ip firewall sessions failover internal
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 0 192.0.2.10:44812 128.66.1.1:22 128.66.1.1:22 192.0.2.10:44812 -- -- AC |
| Блок кода | ||
|---|---|---|
| ||
ESR-2# show ip firewall sessions failover external
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 0 192.0.2.10:44812 128.66.1.1:22 128.66.1.1:22 192.0.2.10:44812 -- -- AC |
| Блок кода | ||
|---|---|---|
| ||
ESR-2# show ip firewall sessions failover external
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 0 192.0.2.10:44812 128.66.1.1:22 128.66.1.1:22 192.0.2.10:44812 -- -- AC |
| Scroll Pagebreak |
|---|
Посмотреть счетчики для кэшей firewall failover можно командой:
| Блок кода | ||
|---|---|---|
| ||
ESR-1# show ip firewall failover cache
Internal sessions cache counters:
Active entries: 1
Added: 5
Deleted: 4
Updated: 4
Failed adding: 0
No memory left: 0
No space left: 0
Failed deleting: 0
No entry found: 0
Failed updating: 0
No entry found: 0
External sessions cache counters:
Active entries: 0
Added: 0
Deleted: 0
Updated: 0
Installed to Kernel: 0
Failed adding: 0
No memory left: 0
No space left: 0
Failed deleting: 0
No entry found: 0
Failed updating: 0
No entry found: 0
Failed installing to Kernel: 0 |
Настройка DHCP failover
DHCP-failover позволяет обеспечить высокую доступность службы DHCP.
Алгоритм настройки DHCP failover описан в разделе Алгоритм настройки DHCP failover.
Пример настройки
Задача:
Настроить DHCP failover в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации DHCP failover
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
security zone SYNC
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server
ip dhcp-server pool TRUSTED
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.100
default-router 192.0.2.1
exit |
| Scroll Pagebreak |
|---|
Решение:
Сконфигурируем object-group для настройки failover-сервисов:
...
Пример настройки нескольких экземпляров DHCP failover, каждый в своем VRF
Задача:
Настроить два экземпляра DHCP failover, каждый в своём VRF, в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации DHCP failover в нескольких VRF
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
ip vrf LAN_ONE
exit
ip vrf LAN_TWO
exit
security zone SYNC
exit
security zone LAN_ONE
ip vrf forwarding LAN_ONE
exit
security zone LAN_TWO
ip vrf forwarding LAN_TWO
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
exit
interface gigabitethernet 1/0/2.2
ip vrf forwarding LAN_ONE
security-zone LAN_ONE
ip address 192.0.2.254/24
vrrp 4
ip address 192.0.2.1/24
priority 120
group 2
enable
exit
exit
interface gigabitethernet 1/0/2.3
ip vrf forwarding LAN_TWO
security-zone LAN_TWO
ip address 128.66.0.254/24
vrrp 5
ip address 128.66.0.1/24
priority 110
group 3
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
exit
interface gigabitethernet 2/0/2.2
ip vrf forwarding LAN_ONE
security-zone LAN_ONE
ip address 192.0.2.253/24
vrrp 4
ip address 192.0.2.1/24
priority 110
group 2
enable
exit
exit
interface gigabitethernet 2/0/2.3
ip vrf forwarding LAN_TWO
security-zone LAN_TWO
ip address 128.66.0.253/24
vrrp 5
ip address 128.66.0.1/24
priority 120
group 3
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN_ONE self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
security zone-pair LAN_TWO self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server vrf LAN_ONE
ip dhcp-server pool LAN_ONE vrf LAN_ONE
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.253
default-router 192.0.2.1
exit
ip dhcp-server vrf LAN_TWO
ip dhcp-server pool LAN_TWO vrf LAN_TWO
network 128.66.0.0/24
address-range 128.66.0.10-128.66.0.253
default-router 128.66.0.1
exit |
| Scroll Pagebreak |
|---|
Решение:
Сконфигурируем object-group для настройки DHCP failover-сервисов:
...
Пример настройки
Схема реализации SNMP
Задача:
- обеспечить возможность мониторинга сети через management-интерфейс каждого устройства в кластере:
- обеспечить возможность мониторинга состояния сети и внесения изменений в конфигурацию устройства, выполняющего роль VRRP Master;
- устройство управления (MGMT) доступно по IP-адресу 192.0.2.10.
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone MGMT
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone MGMT
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone MGMT
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair MGMT self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
Решение:
Создадим профиль SNMP-портов, предоставляющий доступ в MGMT зону безопасности:
...
Алгоритм Source NAT описан в разделе Алгоритм настройки Source NAT.
Пример настройки
Задача:
- предоставить доступ в Интернет хостам, находящимся в локальной сети;
- клиентская подсеть: 192.0.2.0/24;
публичный IP-адрес – VIP-адрес на интерфейсе.
...
Схема реализации Source NAT
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.6/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.2/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.5/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.1/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair LAN WAN
rule 1
action permit
enable
exit
exit |
Решение:
Создадим список IP-адресов, которые будут иметь возможность выхода в Интернет:
...
Алгоритм настройки Destination NAT описан в разделе Алгоритм настройки DNAT.
Пример настройки
Задача:
- организовать публичный доступа к серверу, находящемуся в частной сети и не имеющему публичного сетевого адреса;
- сервер доступен по адресу: 192.0.2.10/24;
...
Схема реализации Destination NAT
Исходная конфигурация кластера:
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone WAN
ip address 128.66.0.6/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128.66.0.2/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone WAN
ip address 128.66.0.5/30
vrrp 3
ip address 203.0.113.2/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128.66.0.1/30
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
| Scroll Pagebreak |
|---|
Решение:
Создадим профиль адреса сервера из WAN сети, с которого будем принимать:
...
Пример настройки eBGP с общим IP-адресом
Задача:
Настроить BGP-протокол в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
Схема реализации eBGP с общим IP-адресом
Исходная конфигурация кластера:
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone WAN
ip address 128.66.0.2/30
vrrp 3
ip address 203.0.113.1/30
group 1
enable
exit
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone WAN
ip address 128.66.0.1/30
vrrp 3
ip address 203.0.113.1/30
group 1
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol ah
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
Решение:
Настроем firewall для приема маршрутизатором BGP-трафика из зоны безопасности WAN:
...
Пример настройки eBGP с каждым участником кластера по индивидуальным IP-адресам
Задача:
Настроить BGP-протокол в кластере маршрутизаторов ESR-1 и ESR-2 со следующими параметрами:
...
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
security zone SYNC
exit
security zone LAN
exit
security zone WAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip address 198.51.100.1/24
group 1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/2
security-zone LAN
ip address 192.0.2.254/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 1/0/3
security-zone WAN
ip address 203.0.113.1/30
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
security-zone LAN
ip address 192.0.2.253/24
vrrp 2
ip address 192.0.2.1/24
group 1
enable
exit
exit
interface gigabitethernet 2/0/3
security-zone WAN
ip address 203.0.113.5/30
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol ah
enable
exit
exit
security zone-pair WAN self
rule 1
action permit
match protocol vrrp
enable
exit
exit |
| Scroll Pagebreak |
|---|
Решение:
Настроем firewall для приема маршрутизатором BGP-трафика из зоны безопасности WAN:
...
Пример настройки в кластере DMVPN Single Hub Dual Cloud схемы
Задача:
Организовать DMVPN между офисами компании, используя mGRE-туннели, NHRP (Next Hop Resolution Protocol), протокол динамической маршрутизации (BGP), IPsec. В данном примере будет HUB-маршрутизатор, который находится в кластере, и два филиала. HUB – это DMVPN-cервер (NHS), а филиалы – DMPVN-клиенты (NHC).
...
| Блок кода | ||
|---|---|---|
| ||
hostname SPOKE-2 security zone LAN exit security zone WAN exit interface gigabitethernet 1/0/1 security-zone WAN ip address 198.51.100.14/30 exit interface gigabitethernet 1/0/2 security-zone LAN ip address 128.66.2.1/24 exit ip route 198.51.100.0/30 198.51.100.13 ip route 198.51.100.4/30 198.51.100.13 ip route 198.51.100.8/30 198.51.100.13 |
| Scroll Pagebreak |
|---|
Решение:
- Конфигурирование HUB
Создадим туннели mGRE, каждый через свой CLOUD, определим принадлежность к зоне безопасности, настроим NHRP и включим туннель и NHRP командой enable:
...