...
| Примечание |
|---|
Более приоритетным является hostname, указанный с привязкой к unit. |
Необходимо удалить заводские настройки Bridge, чтобы далее сконфигурировать его с нуля:
...
| Блок кода |
|---|
wlc-1(config-bridge)# ip address 192.168.1.4/24 unit 1
wlc-1(config-bridge)# ip address 192.168.1.3/24 unit 2
wlc-1(config-bridge)# ip address 192.168.1.2/24 unit 3 |
Настройте VRRP:
| Примечание |
|---|
Для избежания лишних переключений VRRP, в приведенном примере отключен перехват роли Master у текущего Master-устройства с более низким приоритетом. Если вам требуется перехват роли, то нужно вводить задержку для перехвата, чтобы сервисы успели синхронизировать данные. | Блок кода |
|---|
vrrp preempt delay 120 |
|
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp 2
wlc-1(config-vrrp)# ip address 192.168.1.1/32
wlc-1(config-vrrp)# priority 130 groupunit 1
wlc-1(config-vrrp)# enablepriority 120 unit 2
wlc-1(config-vrrp)# group exit
|
Отключите работу spanning-tree и включите работу Bridge:
| Блок кода |
|---|
|
1
wlc-1(config-bridgevrrp)# no spanning-treepreempt disable
wlc-1(config-bridgevrrp)# enable
wlc-1(config-bridgevrrp)# exit
|
Перейдите к конфигурированию интерфейса Первого юнита:Для схемы 1+2 необходимо задать приоритет для третьего юнит
| Блок кода |
|---|
|
wlc-1(config-bridge)# interface gigabitethernet 1/0/2
|
Для удобства укажите описание интерфейса:
| Блок кода |
|---|
|
vrrp 2
wlc-1(config-if-givrrp)# priority 110 unit 3
wlc-1(config-vrrp)# exit
|
Отключите работу spanning-tree и включите работу Bridge:
| Блок кода |
|---|
|
wlc-1(config-bridge)# no spanning-tree
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit
|
Перейдите к конфигурированию интерфейса Первого юнита:
| Блок кода |
|---|
|
wlc-1(config)# interface gigabitethernet 1/0/2
|
Для удобства укажите описание интерфейса:
| Блок кода |
|---|
|
wlc-1(config-if-gi)# description "Local"
description "Local"
|
Переведите режим работы интерфейса в L2:
...
| Блок кода |
|---|
|
wlc-1(config)# security zone SYNC
wlc-1(config-security-zone)# exit
wlc-1(config)# security zone-pair SYNC self
wlc-1(config-security-zone-pair)# rule 1
wlc-1(config-security-zone-pair-rule)# action permit
wlc-1(config-security-zone-pair-rule)# match protocol icmp
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# rule 2
wlc-1(config-security-zone-pair-rule)# action permit
wlc-1(config-security-zone-pair-rule)# match protocol vrrp
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите к Перейдите к настройкам кластерного интерфейса:
| Блок кода |
|---|
|
wlc-1(config)# bridge 1
|
| Примечание |
|---|
В версии ПО 1.3036.4 2 в качестве cluster-интерфейса поддержан только bridge. |
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp 1
wlc-1(config-vrrp)# group 1
wlc-1(config-vrrp)# ip address 198.51.100.1/24
wlc-1(config-vrrp)# enable priority 130 unit 1
wlc-1(config-vrrp)# exitpriority 120 unit 2
wlc-1(config-vrrp)# group 1
wlc-1(config-vrrp)# preempt disable
wlc-1(config-vrrp)# enable
wlc-1(config-vrrp)# exit |
| Примечание |
|---|
Для настройки кластера адрес VRRP должен быть исключительно из той же подсети, что и адреса на интерфейсе. |
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit |
Настройте физические порты для выделенного линка синхронизации маршрутизаторов wlc-1 и wlc-2:
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/24 100130 Disabled Enabled Backup Master -- 1
2 192.168.1.1/32 130 100 Disabled Master -- 1 Enabled Backup |
Можно увидеть, что устройство приняло состояние BackupМожно увидеть, что устройство приняло состояние Backup. Через 10 секунд устройство примет состояние Master.
...
| Блок кода |
|---|
|
wlc-1(config-cluster)# cluster-interface bridge 1
wlc-1(config-cluster)# enable
wlc-1(config-cluster)# exit |
Перейдите к настройке NTP:
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.1/24
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconfsa
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 10090
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.45-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
softgre-controller
nas-ip-address 127.0.0.1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit |
|
...
| Блок кода |
|---|
|
wlc-1# show cluster sync status
System part Synced
---------------------- ------
candidate-config Yes
running-config Yes
SW version Yes
licence Yes
licence (After reboot) Yes
date Yes |
| Примечание |
|---|
В версии 1.3036.4 2 не поддержана синхронизация шифрованных паролей. |
...
| Примечание |
|---|
На каждый wlc нужна отдельная лицензия (WiWLC-WIDS-FiWIPS, BRAS и т. д.). Для активации функций кластера отдельная лицензия не нужна. |
...
| Блок кода |
|---|
|
wlc-1# copy tftp://<IP_address>:/licence system:cluster-unit-licences
|*************************| 100% (680B) Licence loaded successfully.
wlc-1#
wlc-1#
wlc-1#
wlc-1# show cluster-unit-licences
Serial number Features
--------------- ------------------------------------------------------------
NP0B003634 BRAS,IPS,WIFI WLC-WIDS-WIPS,BRAS
NP0B009033 BRAS,IPS,WIFI WLC-WIDS-WIPS,BRAS
wlc-1# sync cluster system force |
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
vlan 2449
force-up
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Решение:
Перейдите в режим конфигурации:
...
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit |
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGRE:
| Блок кода |
|---|
|
wlc-1(config)# object-group service softgre_controller |
Укажите порт, который используется для синхронизации туннелей SoftGRE:
...
...
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_SRC |
Укажите IP-адреса для Первого первого и Второго второго юнитов кластера:
| Блок кода |
|---|
|
wlc-1(config-object-group-network)# ip address-range 198.51.100.254 unit 1
wlc-1(config-object-group-network)# ip address-range 198.51.100.253 unit 2
wlc-1(config-object-group-network)# exit
|
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# no ip address all
wlc-1(config-bridge)# ip address 192.168.2.3/24 unit 1
wlc-1(config-bridge)# ip address 192.168.2.2/24 unit 2 |
Укажите индентификатор VRRP:
...
| Блок кода |
|---|
|
wlc-1(config-vrrp)# group 1 |
Укажите приоритет для каждого юнита:
| Блок кода |
|---|
|
wlc-1(config-vrrp)# priority 130 unit 1
wlc-1(config-vrrp)# priority 120 unit 2 |
Отключите перехват роли мастера:
| Блок кода |
|---|
|
wlc-1(config-vrrp)# preempt disable |
Включить периодическую отправку Gratuituous ARP-сообщенийВключить периодическую отправку Gratuituous ARP-сообщений, когда контроллер находится в состоянии Master:
...
| Блок кода |
|---|
|
wlc-1(config-vrrp)# enable
wlc-1(config-vrrp)# exit |
Отключите работу spanning-tree:
| Блок кода |
|---|
|
wlc-1(config-bridge)# no spanning-tree |
Включите Bridge:
| Блок кода |
|---|
|
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-crypto-sync)# remote-delete |
...
Включите работу синхронизации сертификатов:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 11 |
...
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync |
...
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 410 |
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group softgrejournal_controllersync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone, где добавьте разрешение на прохождение VRRP-трафика в клиентской зоне:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair users self |
Создайте Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 1011 |
Укажите действие правила правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу TCPVRRP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match protocol tcpvrrp |
Включите правилоУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group journal_syncenable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Для настройки правил зон безопасности создайте профиль для порта Firewall-failoverВключите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# object-group service FAILOVER |
Укажите порт, который используется для синхронизации сессий Firewall:
| Блок кода |
|---|
|
enable
wlc-1(config-securityobject-zonegroup-pair-ruleservice)# port-range exit9999
wlc-1(config-securityobject-zonegroup-pairservice)# exit |
Перейдите в конфигурацию security - zone, где добавьте разрешение на прохождение VRRP-трафика в клиентской зоне-pair для синхронизации сервисов кластера:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair usersSYNC self |
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 115 |
Укажите действие правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу VRRPUDP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match protocol udp vrrp |
Укажите совпадение по порту назначения, в качестве которого выступает object-groupВключите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exitmatch destination-port object-group FAILOVER |
Включите работу нового правилаДля настройки правил зон безопасности создайте профиль для порта Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# object-group service FAILOVER |
Укажите порт, который используется для синхронизации сессий Firewall:
| Блок кода |
|---|
|
enable
wlc-1(config-objectsecurity-zone-grouppair-servicerule)# port-range 9999exit
wlc-1(config-objectsecurity-groupzone-servicepair)# exit |
Перейдите в конфигурацию security zone-pair для синхронизации сервисов кластерак настройке Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config)# securityip zone-pair SYNC self |
Укажите режим резервирования сессий unicastСоздайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-securityfirewall-zone-pairfailover)# rulesync-type 5unicast |
Укажите действие правиланомер UDP-порта службы резервирования сессий Firewall:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rulefirewall-failover)# actionport permit 9999 |
Включите резервирование сессий FirewallУкажите совпадение по протоколу UDP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rulefirewall-failover)# match protocol udp enable
wlc-1(config-firewall-failover)# exit |
Нужно удалить пулы, заданные в заводской конфигурации и задать новые, в которых будут исключены VRRP-адреса:
Перейдите в конфигурирование пула DHCP-сервера для ТДУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# matchip destinationdhcp-portserver pool object-group FAILOVER ap-pool |
Удалите пул и создайте новыйВключите работу нового правила:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-ruledhcp-server)# no enable address-range 192.168.1.2-192.168.1.254
wlc-1(config-security-zone-pair-ruledhcp-server)# exit address-range 192.168.1.5-192.168.1.254
wlc-1(config-securitydhcp-zone-pairserver)# exit |
Перейдите к настройке Firewall-failoverв конфигурирование пула DHCP-сервера для клиентов:
| Блок кода |
|---|
|
wlc-1(config)# ip firewall failoverdhcp-server pool users-pool |
Удалите пул и создайте новыйУкажите режим резервирования сессий unicast:
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# sync-type unicast |
dhcp-server)# no address-range 192.168.2.2-192.168.2.254
wlc-1(config-dhcp-server)# address-range 192.168.2.4-192.168.2.254
wlc-1(config-dhcp-server)# exit |
Перейдите к настройке синхронизации DHCP-сервера между юнитами:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server failover |
Укажите режим работыУкажите номер UDP-порта службы резервирования сессий Firewall:
| Блок кода |
|---|
|
wlc-1(config-dhcp-firewallserver-failover)# portmode 9999active-standby |
Включите резервирование сессий Firewallработу синхронизации:
| Блок кода |
|---|
|
wlc-1(config-firewalldhcp-server-failover)# enable
wlc-1(config-dhcp-firewallserver-failover)# exit |
Нужно удалить пулы, заданные в заводской конфигурации и задать новые, в которых будут исключены VRRP-адреса:
Перейдите в конфигурирование пула DHCP-сервера для ТДВключите синхронизацию WEB-интерфейса:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server pool ap-poolhttp failover |
Примените и подтвердите внесенные измененияУдалите пул и создайте новый:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server)# no address-range 192.168.1.2-192.168.1.254
wlc-1(config-dhcp-server)# address-range 192.168.1.4-192.168.1.254
wlc-1(config-dhcp-server)# exit |
Перейдите в конфигурирование пула DHCP-сервера для клиентов:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server pool users-pool |
Удалите пул и создайте новый:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server)# no address-range 192.168.2.2-192.168.2.254
wlc-1(config-dhcp-server)# address-range 192.168.2.4-192.168.2.254
wlc-1(config-dhcp-server)# exit |
Перейдите к настройке синхронизации DHCP-сервера между юнитами:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server failover |
Укажите режим работы:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server-failover)# mode active-standby |
Включите работу синхронизации:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server-failover)# enable
wlc-1(config-dhcp-server-failover)# exit |
Включите синхронизацию WEB-интерфейса:
| Блок кода |
|---|
|
wlc-1(config)# ip http failover |
Примените и подтвердите внесенные изменения:
| Блок кода |
|---|
|
wlc-1# commit
wlc-1# confirm |
Полная конфигурация WLC-1
Полная конфигурация WLC-1
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync |
|
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
group 1
enable
exit
enable
exit
bridge 2
rule 20
vlanaction 2permit
security-zone untrusted
match ipprotocol addressicmp
dhcp
no spanning-treeenable
enable
exit
bridge rule 330
vlan 3
action mtu 1458permit
security-zone users
ipmatch address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
group 1enable
exit
timersrule garp40
refresh 60
action enablepermit
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
group 1 match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
no spanning-tree
action enablepermit
exit
interface gigabitethernet 1/0/1
match modeprotocol switchportudp
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10 match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 80
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 90
action permit
match protocol gre
enable
exit
rule 100
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol tcpudp
match destinationsource-port object-group sshdhcp_server
enable
match exit
rule 11destination-port object-group dhcp_client
action permitenable
match protocol vrrp
enable
exitexit
exit
security zone-pair users self
rule 1210
action permit
match protocol tcpicmp
match destination-port object-group sync
enable
exit
rule 2011
action permit
match protocol icmpvrrp
enable
exit
rule 3020
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 4030
action permit
match protocol udptcp
match destination-port object-group ntpdns
enable
exit
rule 5040
action permit
match protocol tcpudp
match destination-port object-group dns
enable
exit
rule 60exit
security zone-pair users action permituntrusted
match protocol udprule 1
match destination-port object-group dnsaction permit
enable
exit
rule 70exit
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80security zone-pair SYNC self
rule 1
action permit
match protocol tcpicmp
match destination-port object-group sa
enable
exit
rule 902
action permit
match protocol udpvrrp
match destination-port object-group radius_auth
enable
exit
rule 1003
action permit
match protocol greah
enable
exit
rule rule 1105
action permit
match protocol tcpudp
match destination-port object-group airtuneFAILOVER
enable
exit
exit
security zone-pair trusted trusted
rule 110
action permit
enable
match protocol exit
exittcp
security zone-pair trusted untrusted
match rule 1
action permitdestination-port object-group journal_sync
enable
exit
exit
security passwords zone-pair untrusted selfdefault-expired
nat source
ruleruleset 1factory
to actionzone permituntrusted
matchrule protocol udp10
match source-port object-group dhcp_server
match destination-port object-group dhcp_client description "replace 'source ip' by outgoing interface ip address"
enable
exit
exit
security zone-pair users self
rule 10
action source-nat interface
action permitenable
match protocol icmpexit
enableexit
exit
rule 11
action permit
match protocol vrrpip dhcp-server
ip dhcp-server pool ap-pool
network enable
exit
rule 20
action permit
match protocol udp192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
matchsuboption source-port12 objectascii-group dhcp_clienttext "192.168.1.1"
matchsuboption destination-port15 objectascii-group dhcp_servertext "https://192.168.1.1:8043"
enableexit
exit
ip dhcp-server rulepool 30users-pool
action permitnetwork 192.168.2.0/24
match protocol tcpaddress-range 192.168.2.4-192.168.2.254
default-router match destination-port object-group dns192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
rule 40nas-ip-address 127.0.0.1
failover
action permitdata-tunnel configuration wlc
aaa match protocol udpradius-profile default_radius
keepalive-disable
match destination-port object-group dns
service-vlan add 3
enable
exit
exit
security zone-pair users untrusted
wlc
rule outside-address 192.168.1.1
service-activator
action permit
aps join enableauto
exit
exit
security zone-pair SYNCairtune
self
rule 1enable
action permitexit
match protocol icmpfailover
enableap-location default-location
exit
rule 2description "default-location"
actionmode permittunnel
match protocol vrrpap-profile default-ap
enablessid-profile default-ssid
exit
rule 3ssid-profile default-ssid
action permitdescription "default-ssid"
match protocol ahssid "default-ssid"
enableradius-profile default-radius
exit
rulevlan-id 43
action permit
security-mode WPA2_1X
802.11kv
match protocol tcp
band 2g
match destination-port object-group softgre_controller band 5g
enable
exit
rule 5 ap-profile default-ap
action permitpassword ascii-text password
exit
match protocol udpradius-profile default-radius
match destinationauth-port object-group FAILOVERaddress 192.168.1.1
enable
exit
exit
rule 10auth-password ascii-text password
domain default
exit
action permitip-pool default-ip-pool
match protocol tcpdescription "default-ip-pool"
match destinationap-portlocation object-group journal_syncdefault-location
exit
enable
exit
exit
ip ssh server
securityclock timezone passwords default-expiredgmt +7
natntp sourceenable
ntp ruleset factoryserver 100.110.0.65
minpoll 1
to zone untrustedmaxpoll 4
exit
crypto-sync
remote-delete
rule 10
description "replace 'source ip' by outgoing interface ip address"
enable
exit
|
|
Статус синхронизации сервисов можно посмотреть командой:
| Блок кода |
|---|
|
| Блок кода |
|---|
|
wlc-1# show high-availability state
VRRP role: action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24 Master
AP Tunnels:
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
State: suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"Successful synchronization
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
Статус синхронизации сервисов можно посмотреть командой:
wlc-1# show high-availability state
VRRP role:Last synchronization: 2025-02-05 16:38:12
DHCP server:
VRF: --
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:28
crypto-sync:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:29
Firewall:
Firewall sessions and NAT translations:
Tracking VRRP Group 1
Tracking VRRP Group state: Master
State: Successful synchronization
Fault Reason: --
Last synchronization: Master
AP Tunnels2025-02-05 16:38:30
WLC:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:1229
DHCP option 82 tableWEB profiles:
State: Successful Disabledsynchronization
Last state changesynchronization: 2025-02-
DHCP server:
VRF: 05 16:38:36 |
Статус синхронизации VRRP можно посмотреть командой:
| Блок кода |
|---|
|
wlc-1# show vrrp
Unit 1* 'wlc-1'
------------------
Virtual router Virtual IP --
State: Priority Preemption State Inherit Sync group ID Successful synchronization
Last synchronization: 2025-02-05 16:38:28
crypto-sync:
State:
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/24 Successful synchronization
Last synchronization: 2025-02-05 16:38:29
Firewall:
Firewall sessions and NAT translations:
130 Disabled Tracking VRRP Group Master -- 1
Tracking VRRP Group state: Master
State:
2 Successful synchronization
Fault Reason: 192.168.1.1/32 --
Last synchronization:130 Disabled Master 2025-02-05 16:38:30
WLC:
State: 1 Successful synchronization
3 Last synchronization: 192.168.2.1/32 2025-02-05 16:38:29
WEB profiles:
State: 130 Disabled Master -- 1 Successful synchronization
Unit Last synchronization: 2025-02-05 16:38:36 |
Статус синхронизации VRRP можно посмотреть командой:
| Блок кода |
|---|
|
wlc-1# show vrrp 2 'wlc-2'
------------------
Virtual router Virtual IP Priority Preemption State Inherit SynchronizationSync group ID
-------------- --------------------------------- -------- ---------- ------ ----- ------- -------------
1 198.51.100.1/3224 120 100 Disabled Enabled Master -- Master 1
2 192.168.1.1/32 100120 Disabled Master Enabled-- Master 1
3 192.168.2.1/32 100120 Disabled Master Enabled-- Master 1
|
Настройка WLC (схема 1+2)
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
unit 3
mac-address 68:13:e2:7e:80:46
exit
enable
exit
hostname wlc-1 unit 1
hostname wlc-2 unit 2
hostname wlc-23 unit 3
vlan 2449
force-up
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
ip address 198.51.100.252/24 unit 3
vrrp 1
ip 198.51.100.1/24
group 1
enable
exit
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.4/24 unit 1
ip address 192.168.1.3/24 unit 2
ip address 192.168.1.2/24 unit 3
vrrp 2
ip 192.168.1.1/32
group 1
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 3/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 3/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
...
Укажите порт, который используется для синхронизации журналов WLC:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit |
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGRE:
| Блок кода |
|---|
|
wlc-1(config)# object-group service softgre_controller |
Укажите порт, который используется для синхронизации туннелей SoftGREWLC:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 13375432
wlc-1(config-object-group-service)# exit |
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_SRC |
...
| Блок кода |
|---|
|
wlc-1(config)# crypto-sync |
Укажите режим работы:
| Блок кода |
|---|
|
wlc-1(config-crypto-sync)# remote-delete |
...
Включите работу синхронизации сертификатов:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 11 |
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов, SoftGRE-туннелей и журналов WLC:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 4 |
Укажите действие правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу TCP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match protocol tcp |
Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов и журналов WLCУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# matchsecurity destinationzone-portpair object-group softgre_controllerSYNC self |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
...
Для настройки правил зон безопасности создайте профиль для порта Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config)# object-group service FAILOVER |
...
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
...
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 5 |
...
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# sync-type multicast |
...
Укажите номер UDP-порта службы резервирования сессий Firewall:
...
| Блок кода |
|---|
|
wlc-1(config-dhcp-server)# no address-range 192.168.1.2-192.168.1.254
wlc-1(config-dhcp-server)# address-range 192.168.1.45-192.168.1.254
wlc-1(config-dhcp-server)# exit |
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
unit 3
mac-address 68:13:e2:7e:80:46
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
hostname wlc-3 unit 3
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
ip address-range 198.51.100.252 unit 3
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.252 unit 1
ip address-range 198.51.100.254 unit 2
ip address-range 198.51.100.252 unit 2
ip address-range 198.51.100.253 unit 3
ip address-range 198.51.100.254 unit 3
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.2/24.2.1/32
priority 130 unit 1
priority 120 unit 2
vrrp 3
priority 110 ip 192.168.2.1/32unit 3
group 1
preempt disable
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
interface gigabitethernet 3/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 3/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 3/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 3/0/4
mode switchport
exit
interface tengigabitethernet 3/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 3/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconfsa
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 10090
action permit
match protocol gre
enable
exit
rule 110100
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit 1
matchaction protocol icmppermit
enable
exit
exit
security zone-pair SYNC self
rule 21
action permit
match protocol vrrpicmp
enable
exit
rule 32
action permit
match protocol ahvrrp
enable
exit
rule 43
action permit
match protocol tcp
match destination-port object-group softgre_controllerah
enable
exit
rule 5
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
exit
rule 10
action permit
match protocol tcp
match destination-port object-group journal_sync
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.45-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Unit 1* 'wlc-1'
------------------
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State SynchronizationInherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- ------------------
1 198.51.100.1/3224 130 100 Disabled EnabledMaster -- Master 1
2 192.168.1.1/32 100130 Disabled Master Enabled-- Master 1
3 192.168.2.1/32 100130 Disabled Master Enabled-- Master 1
Unit 2 'wlc-2'
------------------
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State Inherit SynchronizationSync group ID
-------------- --------------------------------- -------- ---------- ------ ---------- ---------------
1 198.51.100.1/3224 100120 Disabled Backup Enabled -- Backup 1
2 192.168.1.1/32 100 Enabled Backup 1 120 Disabled Backup -- 1
3 192.168.2.1/32 100120 Disabled Backup Enabled-- Backup 1
Unit Unit 3 'wlc-3'
------------------
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State SynchronizationInherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- ------------------
1 198.51.100.1/3224 100110 Disabled Backup Enabled-- Backup 1
2 192.168.1.1/32 100110 Disabled Backup Enabled -- Backup 1
3 192.168.2.1/32 100110 Disabled Backup Enabled-- Backup 1
|
...
Настройка System prompt
System prompt позволяет отобразить оперативное состояние кластера непосредственно в строке приглашения CLI устройства, что упрощает получение актуальной информации.
Варианты настройки system prompt, включая доступные параметры и синтаксис команды, приведены в разделе Настройка общесистемных параметров.
Пример настройки
Задача:
Настроить system prompt в кластере маршрутизаторов wlc-1 и wlc-2 со следующими параметрами:
...
