...
| Блок кода | ||
|---|---|---|
| ||
cluster
cluster-interface bridge 1
unit 1
mac-address a2:00:00:10:c0:00
exit
unit 2
mac-address a2:00:00:10:d0:00
exit
enable
exit
hostname ESR-1 unit 1
hostname ESR-2 unit 2
object-group service DHCP_SERVER
port-range 67
exit
object-group service DHCP_CLIENT
port-range 68
exit
security zone SYNC
exit
security zone LAN
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp authentication key ascii-text encrypted 88B11079B51D
vrrp authentication algorithm md5
vrrp
enable
exit
interface gigabitethernet 1/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/3
security-zone LAN
ip address 128192.66.0.2.254/3024
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp
exit
interface gigabitethernet 2/0/1
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/3
security-zone LAN
ip address 128192.660.02.1253/3024
vrrp id 2
vrrp ip 192.0.2.1/24
vrrp group 1
vrrp
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security zone-pair LAN self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port object-group DHCP_CLIENT
match destination-port object-group DHCP_SERVER
enable
exit
exit
ip dhcp-server
ip dhcp-server pool TRUSTED
network 192.0.2.0/24
address-range 192.0.2.10-192.0.2.100
default-router 192.0.2.1
exit |
...
| Блок кода |
|---|
ESR-1(config-bgp)# address-family ipv4 unicast ESR-1(config-bgp-af)# redistribute connected ESR-1(config-bgp-af)# exit |
| Scroll Pagebreak |
|---|
Создадим eBGP с вышестоящим роутером:
| Блок кода |
|---|
ESR-1(config-bgp)# neighbor 203.0.113.2 ESR-1(config-bgp-neighbor)# remote-as 64501 ESR-1(config-bgp-neighbor)# update-source 203.0.113.1 |
...
И включим обмен IPv4-маршрутами:
...
Применим конфигурацию на Active-устройстве.scroll-pagebreak
Информацию о BGP-пирах можно посмотреть командой:
...
| Блок кода |
|---|
HUB-1(config)# security ike proposal ike_proposal HUB-1(config-ike-proposal)# authentication algorithm sha2-256 HUB-1(config-ike-proposal)# encryption algorithm aes256 HUB-1(config-ike-proposal)# dh-group 19 HUB-1(config-ike-proposal)# exit HUB-1(config)# HUB-1(config)# security ike policy ike_policy HUB-1(config-ike-policy)# pre-shared-key ascii-text encrypted 8CB5107EA7005AFF HUB-1(config-ike-policy)# proposal ike_proposal HUB-1(config-ike-policy)# exit HUB-1(config)# security ike gateway ike_gateway_cloud_one HUB-1(config-ike-gw)# version v2-only HUB-1(config-ike-gw)# ike-policy ike_policy HUB-1(config-ike-gw)# local address 198.51.100.2 HUB-1(config-ike-gw)# local network 198.51.100.2/32 protocol gre HUB-1(config-ike-gw)# remote address any HUB-1(config-ike-gw)# remote network any protocol gre HUB-1(config-ike-gw)# mode policy-based HUB-1(config-ike-gw)# mobike disable HUB-1(config-ike-gw)# dead-peer-detection action clear HUB-1(config-ike-gw)# dead-peer-detection interval 310 HUB-1(config-ike-gw)# dead-peer-detection retransmit timeout 15 HUB-1(config-ike-gw)# dead-peer-detection retransmit tries 2 HUB-1(config-ike-gw)# exit HUB-1(config)# security ike gateway ike_gateway_cloud_two HUB-1(config-ike-gw)# version v2-only HUB-1(config-ike-gw)# ike-policy ike_policy HUB-1(config-ike-gw)# local address 198.51.100.6 HUB-1(config-ike-gw)# local network 198.51.100.6/32 protocol gre HUB-1(config-ike-gw)# remote address any HUB-1(config-ike-gw)# remote network any protocol gre HUB-1(config-ike-gw)# mode policy-based HUB-1(config-ike-gw)# mobike disable HUB-1(config-ike-gw)# dead-peer-detection action clear HUB-1(config-ike-gw)# dead-peer-detection interval 310 HUB-1(config-ike-gw)# dead-peer-detection retransmit timeout 15 HUB-1(config-ike-gw)# dead-peer-detection retransmit tries 2 HUB-1(config-ike-gw)# exit HUB-1(config)# HUB-1(config)# security ike session uniqueids replace |
...
| Блок кода |
|---|
SPOKE-1(config)# security ike proposal ike_proposal SPOKE-1(config-ike-proposal)# authentication algorithm sha2-256 SPOKE-1(config-ike-proposal)# encryption algorithm aes256 SPOKE-1(config-ike-proposal)# dh-group 19 SPOKE-1(config-ike-proposal)# exit SPOKE-1(config)# security ike policy ike_policy SPOKE-1(config-ike-policy)# pre-shared-key ascii-text encrypted 8CB5107EA7005AFF SPOKE-1(config-ike-policy)# proposal ike_proposal SPOKE-1(config-ike-policy)# exit SPOKE-1(config)# security ike gateway ike_gateway_cloud_one SPOKE-1(config-ike-gw)# version v2-only SPOKE-1(config-ike-gw)# ike-policy ike_policy SPOKE-1(config-ike-gw)# local address 198.51.100.10 SPOKE-1(config-ike-gw)# local network 198.51.100.10/32 protocol gre SPOKE-1(config-ike-gw)# remote address 198.51.100.2 SPOKE-1(config-ike-gw)# remote network 198.51.100.2/32 protocol gre SPOKE-1(config-ike-gw)# mode policy-based SPOKE-1(config-ike-gw)# mobike disable SPOKE-1(config-ike-gw)# dead-peer-detection action clear SPOKE-1(config-ike-gw)# dead-peer-detection interval 310 SPOKE-1(config-ike-gw)# dead-peer-detection retransmit timeout 15 SPOKE-1(config-ike-gw)# dead-peer-detection retransmit tries 2 SPOKE-1(config-ike-gw)# exit SPOKE-1(config)# security ike gateway ike_gateway_cloud_two SPOKE-1(config-ike-gw)# version v2-only SPOKE-1(config-ike-gw)# ike-policy ike_policy SPOKE-1(config-ike-gw)# local address 198.51.100.10 SPOKE-1(config-ike-gw)# local network 198.51.100.10/32 protocol gre SPOKE-1(config-ike-gw)# remote address 198.51.100.6 SPOKE-1(config-ike-gw)# remote network 198.51.100.6/32 protocol gre SPOKE-1(config-ike-gw)# mode policy-based SPOKE-1(config-ike-gw)# mobike disable SPOKE-1(config-ike-gw)# dead-peer-detection action clear SPOKE-1(config-ike-gw)# dead-peer-detection interval 310 SPOKE-1(config-ike-gw)# dead-peer-detection retransmit timeout 15 SPOKE-1(config-ike-gw)# dead-peer-detection retransmit tries 2 SPOKE-1(config-ike-gw)# exit SPOKE-1(config)# security ike gateway ike_gateway_to_spokes SPOKE-1(config-ike-gw)# version v2-only SPOKE-1(config-ike-gw)# ike-policy ike_policy SPOKE-1(config-ike-gw)# local address 198.51.100.10 SPOKE-1(config-ike-gw)# local network 198.51.100.10/32 protocol gre SPOKE-1(config-ike-gw)# remote id any SPOKE-1(config-ike-gw)# remote address any SPOKE-1(config-ike-gw)# remote network any protocol gre SPOKE-1(config-ike-gw)# mode policy-based SPOKE-1(config-ike-gw)# mobike disable SPOKE-1(config-ike-gw)# dead-peer-detection action clear SPOKE-1(config-ike-gw)# dead-peer-detection interval 310 SPOKE-1(config-ike-gw)# dead-peer-detection retransmit timeout 15 SPOKE-1(config-ike-gw)# dead-peer-detection retransmit tries 2 SPOKE-1(config-ike-gw)# exit |
...
| Блок кода |
|---|
SPOKE-2(config)# security ike proposal ike_proposal SPOKE-2(config-ike-proposal)# authentication algorithm sha2-256 SPOKE-2(config-ike-proposal)# encryption algorithm aes256 SPOKE-2(config-ike-proposal)# dh-group 19 SPOKE-2(config-ike-proposal)# exit SPOKE-2(config)# security ike policy ike_policy SPOKE-2(config-ike-policy)# pre-shared-key ascii-text encrypted 8CB5107EA7005AFF SPOKE-2(config-ike-policy)# proposal ike_proposal SPOKE-2(config-ike-policy)# exit SPOKE-2(config)# security ike gateway ike_gateway_cloud_one SPOKE-2(config-ike-gw)# version v2-only SPOKE-2(config-ike-gw)# ike-policy ike_policy SPOKE-2(config-ike-gw)# local address 198.51.100.14 SPOKE-2(config-ike-gw)# local network 198.51.100.14/32 protocol gre SPOKE-2(config-ike-gw)# remote address 198.51.100.2 SPOKE-2(config-ike-gw)# remote network 198.51.100.2/32 protocol gre SPOKE-2(config-ike-gw)# mode policy-based SPOKE-2(config-ike-gw)# mobike disable SPOKE-2(config-ike-gw)# dead-peer-detection action clear SPOKE-2(config-ike-gw)# dead-peer-detection interval 310 SPOKE-2(config-ike-gw)# dead-peer-detection retransmit timeout 15 SPOKE-2(config-ike-gw)# dead-peer-detection retransmit tries 2 SPOKE-2(config-ike-gw)# exit SPOKE-2(config)# security ike gateway ike_gateway_cloud_two SPOKE-2(config-ike-gw)# version v2-only SPOKE-2(config-ike-gw)# ike-policy ike_policy SPOKE-2(config-ike-gw)# local address 198.51.100.14 SPOKE-2(config-ike-gw)# local network 198.51.100.14/32 protocol gre SPOKE-2(config-ike-gw)# remote address 198.51.100.6 SPOKE-2(config-ike-gw)# remote network 198.51.100.6/32 protocol gre SPOKE-2(config-ike-gw)# mode policy-based SPOKE-2(config-ike-gw)# mobike disable SPOKE-2(config-ike-gw)# dead-peer-detection action clear SPOKE-2(config-ike-gw)# dead-peer-detection interval 310 SPOKE-2(config-ike-gw)# dead-peer-detection retransmit timeout 15 SPOKE-2(config-ike-gw)# dead-peer-detection retransmit tries 2 SPOKE-2(config-ike-gw)# exit SPOKE-2(config)# security ike gateway ike_gateway_to_spokes SPOKE-2(config-ike-gw)# version v2-only SPOKE-2(config-ike-gw)# ike-policy ike_policy SPOKE-2(config-ike-gw)# local address 198.51.100.14 SPOKE-2(config-ike-gw)# local network 198.51.100.14/32 protocol gre SPOKE-2(config-ike-gw)# remote id any SPOKE-2(config-ike-gw)# remote address any SPOKE-2(config-ike-gw)# remote network any protocol gre SPOKE-2(config-ike-gw)# mode policy-based SPOKE-2(config-ike-gw)# mobike disable SPOKE-2(config-ike-gw)# dead-peer-detection action clear SPOKE-2(config-ike-gw)# dead-peer-detection interval 310 SPOKE-2(config-ike-gw)# dead-peer-detection retransmit timeout 15 SPOKE-2(config-ike-gw)# dead-peer-detection retransmit tries 2 SPOKE-2(config-ike-gw)# exit |
...