...
| Примечание |
|---|
Более приоритетным является hostname, указанный с привязкой к unit. |
Необходимо удалить заводские настройки Bridge, чтобы далее сконфигурировать его с нуля:
...
| Блок кода |
|---|
wlc-1(config-bridge)# ip address 192.168.1.4/24 unit 1
wlc-1(config-bridge)# ip address 192.168.1.3/24 unit 2
wlc-1(config-bridge)# ip address 192.168.1.2/24 unit 3 |
Настройте VRRP:
| Примечание |
|---|
Для избежания лишних переключений VRRP, в приведенном примере отключен перехват роли Master у текущего Master-устройства с более низким приоритетом. Если вам требуется перехват роли, то нужно вводить задержку для перехвата, чтобы сервисы успели синхронизировать данные. | Блок кода |
|---|
vrrp preempt delay 120 |
|
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp 2
wlc-1(config-vrrp)# ip address 192.168.1.1/32
wlc-1(config-vrrp)# priority 130 groupunit 1
wlc-1(config-vrrp)# enablepriority 120 unit 2
wlc-1(config-vrrp)# group exit
|
Отключите работу spanning-tree и включите работу Bridge:
| Блок кода |
|---|
|
1
wlc-1(config-bridgevrrp)# no spanning-treepreempt disable
wlc-1(config-bridgevrrp)# enable
wlc-1(config-bridgevrrp)# exit
|
Перейдите к конфигурированию интерфейса Первого юнита:Для схемы 1+2 необходимо задать приоритет для третьего юнит
| Блок кода |
|---|
|
wlc-1(config-bridge)# interface gigabitethernet 1/0/2
|
Для удобства укажите описание интерфейса:
| Блок кода |
|---|
|
vrrp 2
wlc-1(config-if-givrrp)# priority 110 unit 3
wlc-1(config-vrrp)# exit
|
Отключите работу spanning-tree и включите работу Bridge:
| Блок кода |
|---|
|
wlc-1(config-bridge)# no spanning-tree
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit
|
Перейдите к конфигурированию интерфейса Первого юнита:
| Блок кода |
|---|
|
wlc-1(config)# interface gigabitethernet 1/0/2
|
Для удобства укажите описание интерфейса:
| Блок кода |
|---|
|
wlc-1(config-if-gi)# description "Local"
description "Local"
|
Переведите режим работы интерфейса в L2:
...
| Блок кода |
|---|
|
wlc-1(config)# security zone SYNC
wlc-1(config-security-zone)# exit
wlc-1(config)# security zone-pair SYNC self
wlc-1(config-security-zone-pair)# rule 1
wlc-1(config-security-zone-pair-rule)# action permit
wlc-1(config-security-zone-pair-rule)# match protocol icmp
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# rule 2
wlc-1(config-security-zone-pair-rule)# action permit
wlc-1(config-security-zone-pair-rule)# match protocol vrrp
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите к Перейдите к настройкам кластерного интерфейса:
| Блок кода |
|---|
|
wlc-1(config)# bridge 1
|
| Примечание |
|---|
В версии ПО 1.3036.4 2 в качестве cluster-интерфейса поддержан только bridge. |
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp 1
wlc-1(config-vrrp)# group 1
wlc-1(config-vrrp)# ip address 198.51.100.1/24
wlc-1(config-vrrp)# enable priority 130 unit 1
wlc-1(config-vrrp)# exitpriority 120 unit 2
wlc-1(config-vrrp)# group 1
wlc-1(config-vrrp)# preempt disable
wlc-1(config-vrrp)# enable
wlc-1(config-vrrp)# exit |
| Примечание |
|---|
Для настройки кластера адрес VRRP должен быть исключительно из той же подсети, что и адреса на интерфейсе. |
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit |
Настройте физические порты для выделенного линка синхронизации маршрутизаторов wlc-1 и wlc-2:
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/24 100130 Disabled Enabled Backup Master -- 1
2 192.168.1.1/32 130 100 Disabled Master -- 1 Enabled Backup |
Можно увидеть, что устройство приняло состояние BackupМожно увидеть, что устройство приняло состояние Backup. Через 10 секунд устройство примет состояние Master.
...
| Блок кода |
|---|
|
wlc-1(config-cluster)# cluster-interface bridge 1
wlc-1(config-cluster)# enable
wlc-1(config-cluster)# exit |
Перейдите к настройке NTP:
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.1/24
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconfsa
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 10090
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
softgre-controller
nas-ip-address 127.0.0.1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit |
|
...
| Блок кода |
|---|
|
wlc-1# show cluster sync status
System part Synced
---------------------- ------
candidate-config Yes
running-config Yes
SW version Yes
licence Yes
licence (After reboot) Yes
date Yes |
| Примечание |
|---|
В версии 1.3036.4 2 не поддержана синхронизация шифрованных паролей. |
...
| Примечание |
|---|
На каждый wlc нужна отдельная лицензия (WiWLC-WIDS-FiWIPS, BRAS и т. д.). Для активации функций кластера отдельная лицензия не нужна. |
...
| Блок кода |
|---|
|
wlc-1# copy tftp://<IP_address>:/licence system:cluster-unit-licences
|*************************| 100% (680B) Licence loaded successfully.
wlc-1#
wlc-1#
wlc-1#
wlc-1# show cluster-unit-licences
Serial number Features
--------------- ------------------------------------------------------------
NP0B003634 BRAS,IPS,WIFI WLC-WIDS-WIPS,BRAS
NP0B009033 BRAS,IPS,WIFI WLC-WIDS-WIPS,BRAS
wlc-1# sync cluster system force |
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
vlan 2449
force-up
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Решение:
Перейдите в режим конфигурации:
...
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit |
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGRE:
| Блок кода |
|---|
|
wlc-1(config)# object-group service softgre_controller |
Укажите порт, который используется для синхронизации туннелей SoftGRE:
...
...
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_SRC |
Укажите IP-адреса для Первого первого и Второго второго юнитов кластера:
| Блок кода |
|---|
|
wlc-1(config-object-group-network)# ip address-range 198.51.100.254 unit 1
wlc-1(config-object-group-network)# ip address-range 198.51.100.253 unit 2
wlc-1(config-object-group-network)# exit
|
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# no ip address all
wlc-1(config-bridge)# ip address 192.168.2.3/24 unit 1
wlc-1(config-bridge)# ip address 192.168.2.2/24 unit 2 |
Укажите индентификатор VRRP:
...
| Блок кода |
|---|
|
wlc-1(config-vrrp)# group 1 |
Укажите приоритет для каждого юнита:
| Блок кода |
|---|
|
wlc-1(config-vrrp)# priority 130 unit 1
wlc-1(config-vrrp)# priority 120 unit 2 |
Отключите перехват роли мастера:
| Блок кода |
|---|
|
wlc-1(config-vrrp)# preempt disable |
Включить периодическую отправку Gratuituous ARP-сообщений, Включить периодическую отправку Gratuituous ARP-сообщений, когда контроллер находится в состоянии Master:
...
| Блок кода |
|---|
|
wlc-1(config-vrrp)# enable
wlc-1(config-vrrp)# exit |
Отключите работу spanning-tree:
| Блок кода |
|---|
|
wlc-1(config-bridge)# no spanning-tree |
Включите Bridge:
| Блок кода |
|---|
|
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-crypto-sync)# remote-delete |
...
Включите работу синхронизации сертификатов:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 11 |
...
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync |
...
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 410 |
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group softgrejournal_controllersync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone, где добавьте разрешение на прохождение VRRP-трафика в клиентской зоне:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair users self |
Создайте Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 1011 |
Укажите действие правила правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу TCPVRRP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match protocol tcpvrrp |
Включите правилоУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group journal_syncenable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Для настройки правил зон безопасности создайте профиль для порта Firewall-failoverВключите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# object-group service FAILOVER |
Укажите порт, который используется для синхронизации сессий Firewall:
| Блок кода |
|---|
|
enable
wlc-1(config-securityobject-zonegroup-pair-ruleservice)# port-range exit9999
wlc-1(config-securityobject-zonegroup-pairservice)# exit |
Перейдите в конфигурацию security - zone, где добавьте разрешение на прохождение VRRP-трафика в клиентской зоне-pair для синхронизации сервисов кластера:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair usersSYNC self |
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 115 |
Укажите действие правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу VRRPUDP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match protocol udp vrrp |
Укажите совпадение по порту назначения, в качестве которого выступает object-groupВключите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exitmatch destination-port object-group FAILOVER |
Включите работу нового правилаДля настройки правил зон безопасности создайте профиль для порта Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# object-group service FAILOVER |
Укажите порт, который используется для синхронизации сессий Firewall:
| Блок кода |
|---|
|
enable
wlc-1(config-objectsecurity-zone-grouppair-servicerule)# port-range 9999exit
wlc-1(config-objectsecurity-groupzone-servicepair)# exit |
Перейдите в конфигурацию security zone-pair для синхронизации сервисов кластерак настройке Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config)# securityip zone-pair SYNC self |
Укажите режим резервирования сессий unicastСоздайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-securityfirewall-zone-pairfailover)# rulesync-type 5unicast |
Укажите действие правиланомер UDP-порта службы резервирования сессий Firewall:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rulefirewall-failover)# actionport permit 9999 |
Включите резервирование сессий FirewallУкажите совпадение по протоколу UDP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rulefirewall-failover)# match protocol udp enable
wlc-1(config-firewall-failover)# exit |
Нужно удалить пулы, заданные в заводской конфигурации и задать новые, в которых будут исключены VRRP-адреса:
Перейдите в конфигурирование пула DHCP-сервера для ТДУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# matchip destinationdhcp-portserver pool object-group FAILOVER ap-pool |
Удалите пул и создайте новыйВключите работу нового правила:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-ruledhcp-server)# no enable address-range 192.168.1.2-192.168.1.254
wlc-1(config-security-zone-pair-ruledhcp-server)# exit address-range 192.168.1.5-192.168.1.254
wlc-1(config-securitydhcp-zone-pairserver)# exit |
Перейдите к настройке Firewall-failoverв конфигурирование пула DHCP-сервера для клиентов:
| Блок кода |
|---|
|
wlc-1(config)# ip firewall failoverdhcp-server pool users-pool |
Удалите пул и создайте новыйУкажите режим резервирования сессий unicast:
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# sync-type unicast |
dhcp-server)# no address-range 192.168.2.2-192.168.2.254
wlc-1(config-dhcp-server)# address-range 192.168.2.4-192.168.2.254
wlc-1(config-dhcp-server)# exit |
Перейдите к настройке синхронизации DHCP-сервера между юнитами:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server failover |
Укажите режим работыУкажите номер UDP-порта службы резервирования сессий Firewall:
| Блок кода |
|---|
|
wlc-1(config-dhcp-firewallserver-failover)# portmode 9999active-standby |
Включите резервирование сессий Firewallработу синхронизации:
| Блок кода |
|---|
|
wlc-1(config-firewalldhcp-server-failover)# enable
wlc-1(config-dhcp-firewallserver-failover)# exit |
Нужно удалить пулы, заданные в заводской конфигурации и задать новые, в которых будут исключены VRRP-адреса:
Перейдите в конфигурирование пула DHCP-сервера для ТДВключите синхронизацию WEB-интерфейса:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server pool ap-poolhttp failover |
Примените и подтвердите внесенные измененияУдалите пул и создайте новый:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server)# no address-range 192.168.1.2-192.168.1.254
wlc-1(config-dhcp-server)# address-range 192.168.1.5-192.168.1.254
wlc-1(config-dhcp-server)# exit |
Перейдите в конфигурирование пула DHCP-сервера для клиентов:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server pool users-pool |
Удалите пул и создайте новый:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server)# no address-range 192.168.2.2-192.168.2.254
wlc-1(config-dhcp-server)# address-range 192.168.2.4-192.168.2.254
wlc-1(config-dhcp-server)# exit |
Перейдите к настройке синхронизации DHCP-сервера между юнитами:
| Блок кода |
|---|
|
wlc-1(config)# ip dhcp-server failover |
Укажите режим работы:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server-failover)# mode active-standby |
Включите работу синхронизации:
| Блок кода |
|---|
|
wlc-1(config-dhcp-server-failover)# enable
wlc-1(config-dhcp-server-failover)# exit |
Включите синхронизацию WEB-интерфейса:
| Блок кода |
|---|
|
wlc-1(config)# ip http failover |
Примените и подтвердите внесенные изменения:
| Блок кода |
|---|
|
wlc-1# commit
wlc-1# confirm |
Полная конфигурация WLC-1
Полная конфигурация WLC-1
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync |
|
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
group 1
enable
exit
enable
exit
bridge 2
rule 20
vlanaction 2permit
security-zone untrusted
match ipprotocol addressicmp
dhcp
no spanning-treeenable
enable
exit
bridge rule 330
vlan 3
action mtu 1458permit
security-zone users
ipmatch address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
group 1enable
exit
timersrule garp40
refresh 60
action enablepermit
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
group 1 match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
no spanning-tree
action enablepermit
exit
interface gigabitethernet 1/0/1
match modeprotocol switchportudp
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10 match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 80
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 90
action permit
match protocol gre
enable
exit
rule 100
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol tcpudp
match destinationsource-port object-group sshdhcp_server
enable
match exit
rule 11destination-port object-group dhcp_client
action permitenable
match protocol vrrp
enable
exitexit
exit
security zone-pair users self
rule 1210
action permit
match protocol tcpicmp
match destination-port object-group sync
enable
exit
rule 2011
action permit
match protocol icmpvrrp
enable
exit
rule 3020
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 4030
action permit
match protocol udptcp
match destination-port object-group ntpdns
enable
exit
rule 5040
action permit
match protocol tcpudp
match destination-port object-group dns
enable
exit
rule 60exit
security zone-pair users action permituntrusted
match protocol udprule 1
match destination-port object-group dnsaction permit
enable
exit
rule 70exit
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80security zone-pair SYNC self
rule 1
action permit
match protocol tcpicmp
match destination-port object-group sa
enable
exit
rule 902
action permit
match protocol udpvrrp
match destination-port object-group radius_auth
enable
exit
rule 1003
action permit
match protocol greah
enable
exit
rule rule 1105
action permit
match protocol tcpudp
match destination-port object-group airtuneFAILOVER
enable
exit
exit
security zone-pair trusted trusted
rule 110
action permit
enable
match protocol exit
exittcp
security zone-pair trusted untrusted
match rule 1
action permitdestination-port object-group journal_sync
enable
exit
exit
security passwords zone-pair untrusted selfdefault-expired
nat source
ruleruleset 1factory
to actionzone permituntrusted
matchrule protocol udp10
match source-port object-group dhcp_server
match destination-port object-group dhcp_client description "replace 'source ip' by outgoing interface ip address"
enable
exit
exit
security zone-pair users self
rule 10
action source-nat interface
action permitenable
match protocol icmpexit
enableexit
exit
rule 11
action permit
match protocol vrrpip dhcp-server
ip dhcp-server pool ap-pool
network enable
exit
rule 20
action permit
match protocol udp192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
matchsuboption source-port12 objectascii-group dhcp_clienttext "192.168.1.1"
matchsuboption destination-port15 objectascii-group dhcp_servertext "https://192.168.1.1:8043"
enableexit
exit
ip dhcp-server rulepool 30users-pool
action permitnetwork 192.168.2.0/24
match protocol tcpaddress-range 192.168.2.4-192.168.2.254
default-router match destination-port object-group dns192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
rule 40nas-ip-address 127.0.0.1
failover
action permitdata-tunnel configuration wlc
aaa match protocol udpradius-profile default_radius
keepalive-disable
match destination-port object-group dns
service-vlan add 3
enable
exit
exit
security zone-pair users untrusted
wlc
rule outside-address 192.168.1.1
service-activator
action permit
aps join enableauto
exit
exit
security zone-pair SYNCairtune
self
rule 1enable
action permitexit
match protocol icmpfailover
enableap-location default-location
exit
rule 2description "default-location"
actionmode permittunnel
match protocol vrrpap-profile default-ap
enablessid-profile default-ssid
exit
rule 3ssid-profile default-ssid
action permitdescription "default-ssid"
match protocol ahssid "default-ssid"
enableradius-profile default-radius
exit
rulevlan-id 43
action permit
security-mode WPA2_1X
802.11kv
match protocol tcp
band 2g
match destination-port object-group softgre_controller band 5g
enable
exit
rule 5 ap-profile default-ap
action permitpassword ascii-text password
exit
match protocol udpradius-profile default-radius
match destinationauth-port object-group FAILOVERaddress 192.168.1.1
enable
exit
exit
rule 10auth-password ascii-text password
domain default
exit
action permitip-pool default-ip-pool
match protocol tcpdescription "default-ip-pool"
match destinationap-portlocation object-group journal_syncdefault-location
exit
enable
exit
exit
ip ssh server
securityclock timezone passwords default-expiredgmt +7
natntp sourceenable
ntp ruleset factoryserver 100.110.0.65
minpoll 1
to zone untrustedmaxpoll 4
exit
crypto-sync
remote-delete
rule 10
description "replace 'source ip' by outgoing interface ip address"
enable
exit
|
|
Статус синхронизации сервисов можно посмотреть командой:
| Блок кода |
|---|
|
| Блок кода |
|---|
|
wlc-1# show high-availability state
VRRP role: action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24 Master
AP Tunnels:
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
State: suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"Successful synchronization
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
Статус синхронизации сервисов можно посмотреть командой:
wlc-1# show high-availability state
VRRP role:Last synchronization: 2025-02-05 16:38:12
DHCP server:
VRF: --
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:28
crypto-sync:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:29
Firewall:
Firewall sessions and NAT translations:
Tracking VRRP Group 1
Tracking VRRP Group state: Master
State: Successful synchronization
Fault Reason: --
Last synchronization: Master
AP Tunnels2025-02-05 16:38:30
WLC:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:1229
DHCP option 82 tableWEB profiles:
State: Successful Disabledsynchronization
Last state changesynchronization: 2025-02-
DHCP server:
VRF: 05 16:38:36 |
Статус синхронизации VRRP можно посмотреть командой:
| Блок кода |
|---|
|
wlc-1# show vrrp
Unit 1* 'wlc-1'
------------------
Virtual router Virtual IP --
State: Priority Preemption State Inherit Sync group ID Successful synchronization
Last synchronization: 2025-02-05 16:38:28
crypto-sync:
State:
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/24 Successful synchronization
Last synchronization: 2025-02-05 16:38:29
Firewall:
Firewall sessions and NAT translations:
130 Disabled Tracking VRRP Group Master -- 1
Tracking VRRP Group state: Master
State:
2 Successful synchronization
Fault Reason: 192.168.1.1/32 --
Last synchronization:130 Disabled Master 2025-02-05 16:38:30
WLC:
State: 1 Successful synchronization
3 Last synchronization: 192.168.2.1/32 2025-02-05 16:38:29
WEB profiles:
State: 130 Disabled Master -- 1 Successful synchronization
Unit Last synchronization: 2025-02-05 16:38:36 |
Статус синхронизации VRRP можно посмотреть командой:
| Блок кода |
|---|
|
wlc-1# show vrrp 2 'wlc-2'
------------------
Virtual router Virtual IP Priority Preemption State Inherit SynchronizationSync group ID
-------------- --------------------------------- -------- ---------- ------ ----- ------- -------------
1 198.51.100.1/3224 120 100 Disabled Enabled Master -- Master 1
2 192.168.1.1/32 100120 Disabled Master Enabled-- Master 1
3 192.168.2.1/32 100120 Disabled Master Enabled-- Master 1
|
Настройка WLC (схема 1+2)
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
unit 3
mac-address 68:13:e2:7e:80:46
exit
enable
exit
hostname wlc-1 unit 1
hostname wlc-2 unit 2
hostname wlc-23 unit 3
vlan 2449
force-up
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
ip address 198.51.100.252/24 unit 3
vrrp 1
ip 198.51.100.1/24
group 1
enable
exit
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.4/24 unit 1
ip address 192.168.1.3/24 unit 2
ip address 192.168.1.2/24 unit 3
vrrp 2
ip 192.168.1.1/32
group 1
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 3/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 3/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
...
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 873
wlc-1(config-object-group-service)# exit |
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются журналы WLC:
| Блок кода |
|---|
|
wlc-1(config)# object-group service journal_sync |
Укажите порт, который используется для синхронизации журналов WLC:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit |
...
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGREжурналы WLC:
| Блок кода |
|---|
|
wlc-1(config)# object-group service softgrejournal_controllersync |
Укажите порт, который используется для синхронизации туннелей SoftGREжурналов WLC:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 13375432
wlc-1(config-object-group-service)# exit |
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_SRC |
...
| Блок кода |
|---|
|
wlc-1(config)# crypto-sync |
Укажите режим работы:
| Блок кода |
|---|
|
wlc-1(config-crypto-sync)# remote-delete |
Включите работу синхронизации сертификатов:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 11 |
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов, SoftGRE-туннелей и журналов WLC:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 4 |
Включите правилоУкажите действие правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу TCP:
| Блок кода |
|---|
|
enable
wlc-1(config-security-zone-pair-rule)# match protocol tcpexit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов и журналов WLCУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# matchsecurity destinationzone-portpair object-group softgre_controllerSYNC self |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
...
Для настройки правил зон безопасности создайте профиль для порта Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config)# object-group service FAILOVER |
...
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
...
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 5 |
...
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# sync-type multicast |
...
Укажите номер UDP-порта службы резервирования сессий Firewall:
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
unit 3
mac-address 68:13:e2:7e:80:46
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
hostname wlc-3 unit 3
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
ip address-range 198.51.100.252 unit 3
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.252 unit 1
ip address-range 198.51.100.254 unit 2
ip address-range 198.51.100.252 unit 2
ip address-range 198.51.100.253 unit 3
ip address-range 198.51.100.254 unit 3
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
interface gigabitethernet 3/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 3/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 3/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 3/0/4
mode switchport
exit
interface tengigabitethernet 3/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 3/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconfsa
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 10090
action permit
match protocol gre
enable
exit
rule 110100
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
matchenable
protocol icmpexit
exit
security zone-pair SYNC enableself
exit
rule 21
action permit
match protocol vrrpicmp
enable
exit
rule 32
action permit
match protocol ahvrrp
enable
exit
rule 43
action permit
match protocol tcp
match destination-port object-group softgre_controllerah
enable
exit
rule 5
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
exit
rule 10
action permit
match protocol tcp
match destination-port object-group journal_sync
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Unit 1* 'wlc-1'
------------------
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State SynchronizationInherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- ------------------
1 198.51.100.1/3224 130 100 Disabled EnabledMaster -- Master 1
2 192.168.1.1/32 100130 Disabled Master Enabled-- Master 1
3 192.168.2.1/32 100130 Disabled Master Enabled-- Master 1
Unit 2 'wlc-2'
------------------
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State Inherit SynchronizationSync group ID
-------------- --------------------------------- -------- ---------- ------ ---------- ---------------
1 198.51.100.1/3224 100120 Disabled Backup Enabled -- Backup 1
2 192.168.1.1/32 100 Enabled Backup 1 120 Disabled Backup -- 1
3 192.168.2.1/32 100120 Disabled Backup Enabled-- Backup 1
Unit Unit 3 'wlc-3'
------------------
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State SynchronizationInherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- ------------------
1 198.51.100.1/3224 100110 Disabled Backup Enabled-- Backup 1
2 192.168.1.1/32 100110 Disabled Backup Enabled -- Backup 1
3 192.168.2.1/32 100110 Disabled Backup Enabled-- Backup 1
|
...
Настройка System prompt
System prompt позволяет отобразить оперативное состояние кластера непосредственно в строке приглашения CLI устройства, что упрощает получение актуальной информации.
Варианты настройки system prompt, включая доступные параметры и синтаксис команды, приведены в разделе Настройка общесистемных параметров.
Пример настройки
Задача:
Настроить system prompt в кластере маршрутизаторов wlc-1 и wlc-2 со следующими параметрами:
...
