...
- Создать object-group для настройки firewall
- Настроить VRRP на интерфейсах
- Настроить Crypto-Sync для синхронизации сертификатов
- Настроить WLC для синхронизации состояния точек доступа
- Настроить Softgre-Controller для синхронизации туннелей
- Настроить Firewall, разрешить обмен VRRP-анонсами и отрыть порты для синхронизации туннелей, сертификатов и состояния WLC
- Настроить DHCP-сервер в режиме Active-Standby
- Настроить DHCP failover
- Настроить NTP-сервер
Информация |
---|
На интерфейсах, где включен vrrp необходимо включить: Блок кода |
---|
vrrp timers garp refresh 60 |
Данная команда определяет интервал, по истечении которого будет происходить периодическая отправка Gratuituous ARP-сообщения(ий), пока маршрутизатор находится в состоянии Master. |
...
Блок кода |
---|
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit |
Создаем object-group для настройки Firewall:
...
Блок кода |
---|
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp priority 120
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp priority 120
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit |
Настраиваем Crypto-Sync для синхронизации сертификатов:
...
Указываем адресацию резервируемых контроллеров и назначаем им группу: Без форматирования |
---|
ip failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
remote-delete
enable
exit |
Настраиваем
SoftgreCrypto-
Controller Sync для синхронизации
туннелей SoftGREсертификатов:
Блок кода |
---|
softgrecrypto-controllersync
peercrypto-address 192.168.1.3
vrrp-group 1
exitsync remote-delete |
Настраиваем Softgre-туннель Controller для синхронизации , в качестве local address указывается адрес vrrp-ipтуннелей SoftGRE:
Блок кода |
---|
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile-controller
enablefailover
exit |
Настраиваем WLC для синхронизации точек доступа:
Блок кода |
---|
wlc
failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
exit |
Настраиваем правила Firewall, разрешаем протокол VRRP и порты для синхронизации туннелей и сертификатов:
Блок кода |
---|
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit |
...
Блок кода |
---|
ip dhcp-server failover
mode active-standby
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enableenable
exit |
Настраиваем NTP-сервер. Время на устройствах должно быть синхронизировано для корректной работы синхронизации:
Блок кода |
---|
no ntp broadcast-client enable
ntp enable
ntp server 100.110.0.65
exit |
Создаем пользователя в локальном Radius-сервере:
...
Блок кода |
---|
wlc-1# commit
wlc-1# confirm |
Полная конфигурация WLC-1
Раскрыть |
---|
Блок кода |
---|
#!/usr/bin/clish
#193#260
#1.1926.2x
#22#01/1205/20232024
#18#11:2254:0529
hostname WLC-1
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$SE44HkPtLYJkWMTZ$if1UHjuR3c9THrZAbh55PIxPhbAfCoTnyNJjG7rJIcLkTk4otQNjiHF6Sk6or3Rd4Q1uCUNvv6jUQyDQ0ffSx0
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 120
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip firewall disable
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 120
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
softgre-controller
peer-address 192.168.1.3
nas-ip-address 127.0.0.1
vrrp-groupfailover
1 data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
password private-crt-key ascii-text encrypted 8CB5107EA7005AFF
exit
airtune
enable
exit
failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
radio-2g-profile default_2g
radio-5g-profile default_5g
ssid-profile default-ssid
exit
airtune-profile default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
radio-2g-profile default_2g
obss-coexistence off
exit
radio-5g-profile default_5g
dfs forced
obss-coexistence off
limit-channels 36,40,44,48,52,56,60,64
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp broadcast-client enable
crypto-sync
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
remote-delete
enable
exitserver 100.110.0.65
exit
crypto-sync
crypto-sync remote-delete |
|
Пример настройки WLC-2
Подключаемся к WLC и переходим в режим конфигурирования:
Меняем имя устройства:
Создаем vlan 2449:
Блок кода |
---|
vlan 2449
force-up
exit |
...
Блок кода |
---|
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit |
Меняем адресацию и настраиваем VRRP на Bridge:
Блок кода |
---|
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp vrrp priority 110
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp vrrp priority 110
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
|
Настраиваем Crypto-Sync для синхронизации сертификатов:
...
Указываем адресацию резервируемых контроллеров и назначаем им группу: Без форматирования |
---|
ip failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
remote-delete
enable
exit |
Настраиваем SoftgreCrypto-Controller Sync для синхронизации туннелей SoftGREсертификатов:
Блок кода |
---|
softgrecrypto-controllersync
peercrypto-address 192.168.1.2
vrrp-group 1
exit |
Настраиваем Softgre-туннель Controller для синхронизации , в качестве local address указывается адрес vrrp-ip: туннелей SoftGRE:
Блок кода |
---|
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile-controller
enablefailover
exit |
Настраиваем WLC для синхронизации точек доступа:
Блок кода |
---|
wlc
failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
exit |
Настраиваем правила Firewall, разрешаем протокол VRRP и порты для синхронизации туннелей и сертификатов:
Блок кода |
---|
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit |
...
Блок кода |
---|
ip dhcp-server failover
mode active-standby
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enableenable
exit |
Настраиваем NTP-сервер. Время на устройствах должно быть синхронизировано для корректной работы синхронизации:
Блок кода |
---|
no ntp broadcast-client enable
ntp enable
ntp server 100.110.0.65
exit |
Создаем пользователя в локальном Radius-сервере:
...
Блок кода |
---|
wlc-2# commit
wlc-2# confirm |
Полная
...
конфигурация WLC-2
Раскрыть |
---|
Блок кода |
---|
#!/usr/bin/clish
#193#260
#1.1926.2x
#22#01/1205/20232024
#18#11:2254:0529
hostname WLC-2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$gnFubZbxiPHa/WdA$xEmrfe/dVeVNDGBztQUB1Sk8In.20Hep/LxMJhxcHFWCfs2SPwxaCyyNxmzL3Bqu8buj71PPfp7WdfWz8AqrU/
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
softgre-controller
peer-address 192.168.1.2
nas-ip-address 127.0.0.1
vrrp-groupfailover
1 data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
password private-crt-key ascii-text encrypted 8CB5107EA7005AFF
exit
airtune
enable
exit
failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
radio-2g-profile default_2g
radio-5g-profile default_5g
ssid-profile default-ssid
exit
airtune-profile default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
radio-2g-profile default_2g
obss-coexistence off
exit
radio-5g-profile default_5g
dfs forced
obss-coexistence off
limit-channels 36,40,44,48,52,56,60,64
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp broadcast-client enable
crypto-sync
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
remote-delete
enable
exit
server 100.110.0.65
exit
crypto-sync
crypto-sync remote-delete |
|
Проверка
Для проверки синхронизации туннелей, WLC, DHCP можно посмотреть вывод:
Блок кода |
---|
WLC-1# show high-availability state
VRRP role: Master
AP Tunnels:
State: Successful synchronization
Last synchronization: 06:18:03 25.09.2023
DHCP option 82 table:
State: Disabled
Last state change: --
DHCP server:
VRF: --
State: Successful synchronization
crypto-sync:
State: Successful synchronization
Last synchronization: 06:18:03 25.09.2023
Firewall:
State: Disabled
Last state change: --
WLC:
State: Successful synchronization
Last synchronization: 06:18:03 25.09.2023 |