...
| Примечание |
|---|
Более приоритетным является hostname, указанный с привязкой к unit. |
Необходимо удалить заводские настройки Bridge, чтобы далее сконфигурировать его с нуля:
...
| Примечание |
|---|
Для избежания лишних переключений VRRP, в приведенном примере отключен перехват роли Master у текущего Master-устройства с более низким приоритетом. Если вам требуется перехват роли, то нужно вводить задержку для перехвата, чтобы сервисы успели синхронизировать данные. | Блок кода |
|---|
vrrp preempt delay 120 |
|
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp 2
wlc-1(config-vrrp)# priority 110 unit 3
wlc-1(config-vrrp)# exit
|
Отключите работу spanning-tree и включите работу Bridge:
...
| Блок кода |
|---|
|
wlc-1(config)# security zone SYNC
wlc-1(config-security-zone)# exit
wlc-1(config)# security zone-pair SYNC self
wlc-1(config-security-zone-pair)# rule 1
wlc-1(config-security-zone-pair-rule)# action permit
wlc-1(config-security-zone-pair-rule)# match protocol icmp
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# rule 2
wlc-1(config-security-zone-pair-rule)# action permit
wlc-1(config-security-zone-pair-rule)# match protocol vrrp
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите к Перейдите к настройкам кластерного интерфейса:
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp 1
wlc-1(config-vrrp)# ip address 198.51.100.1/24
wlc-1(config-vrrp)# priority 130 unit 1
wlc-1(config-vrrp)# priority 120 unit 2
wlc-1(config-vrrp)# group 1
wlc-1(config-vrrp)# preempt disable
wlc-1(config-vrrp)# enable
wlc-1(config-vrrp)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit |
Настройте физические порты для выделенного линка синхронизации маршрутизаторов wlc-1 и wlc-2:
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/24 130 Disabled Disabled Backup Master -- 1
2 192.168.1.1/32 130 Disabled Master Backup -- 1 |
Можно увидеть, что устройство приняло состояние Backup. Через 10 секунд устройство примет состояние Master.
...
| Блок кода |
|---|
|
wlc-1(config-cluster)# cluster-interface bridge 1
wlc-1(config-cluster)# enable
wlc-1(config-cluster)# exit |
Перейдите к настройке NTP:
...
| Примечание |
|---|
На каждый wlc нужна отдельная лицензия (WiWLC-WIDS-FiWIPS, BRAS и т. д.). Для активации функций кластера отдельная лицензия не нужна. |
...
| Блок кода |
|---|
|
wlc-1# copy tftp://<IP_address>:/licence system:cluster-unit-licences
|*************************| 100% (680B) Licence loaded successfully.
wlc-1#
wlc-1#
wlc-1#
wlc-1# show cluster-unit-licences
Serial number Features
--------------- ------------------------------------------------------------
NP0B003634 BRAS,IPS,WIFI WLC-WIDS-WIPS,BRAS
NP0B009033 BRAS,IPS,WIFI WLC-WIDS-WIPS,BRAS
wlc-1# sync cluster system force |
...
| Блок кода |
|---|
|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
vlan 2449
force-up
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/2
description "Local"
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit |
Решение:
Перейдите в режим конфигурации:
...
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit |
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGRE:
| Блок кода |
|---|
|
wlc-1(config)# object-group service softgre_controller |
Укажите порт, который используется для синхронизации туннелей SoftGRE:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 1337
wlc-1(config-object-group-service)# exit |
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_SRC |
Укажите IP-адреса для Первого первого и Второго второго юнитов кластера:
| Блок кода |
|---|
|
wlc-1(config-object-group-network)# ip address-range 198.51.100.254 unit 1
wlc-1(config-object-group-network)# ip address-range 198.51.100.253 unit 2
wlc-1(config-object-group-network)# exit
|
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# no ip address all
wlc-1(config-bridge)# ip address 192.168.2.3/24 unit 1
wlc-1(config-bridge)# ip address 192.168.2.2/24 unit 2 |
Укажите индентификатор VRRP:
...
| Блок кода |
|---|
|
wlc-1(config-vrrp)# enable
wlc-1(config-vrrp)# exit |
Отключите работу spanning-tree:
| Блок кода |
|---|
|
wlc-1(config-bridge)# no spanning-tree |
...
Включите Bridge:
| Блок кода |
|---|
|
wlc-1(config-bridge)# enable
wlc-1(config-bridge)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-crypto-sync)# remote-delete |
...
Включите работу синхронизации сертификатов:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 11 |
...
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 410 |
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group softgrejournal_controllersync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Создайте новое правилоПерейдите в конфигурацию security-zone, где добавьте разрешение на прохождение VRRP-трафика в клиентской зоне:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 10 |
Укажите действие правила – разрешение:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу TCP:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match protocol tcp |
Укажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group journal_sync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone, где добавьте разрешение на прохождение VRRP-трафика в клиентской зоне:
| Блок кода |
|---|
|
wlc-1(config))# security zone-pair users self |
...
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 9999
wlc-1(config-object-group-service)# exit |
Перейдите в конфигурацию security zone-pair для синхронизации сервисов кластера:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
...
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 5 |
...
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# sync-type unicast |
...
Укажите номер UDP-порта службы резервирования сессий Firewall:
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 80
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 90
action permit
match protocol gre
enable
exit
rule 100
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
rule 4
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 5
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
exit
rule 10
action permit
match protocol tcp
match destination-port object-group journal_sync
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
...
| Блок кода |
|---|
|
wlc-1# show high-availability state
VRRP role: Master
AP Tunnels:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:12
DHCP option 82 table
AP Tunnels:
State: Successful Disabledsynchronization
Last state changesynchronization: 2025-02-05 16:38:12
DHCP server:
VRF: --
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:28
crypto-sync:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:29
Firewall:
Firewall sessions and NAT translations:
Tracking VRRP Group 1
Tracking VRRP Group state: Master
State: Successful synchronization
Fault Reason: --
Last synchronization: 2025-02-05 16:38:30
WLC:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:29
WEB profiles:
State: Successful synchronization
Last synchronization: 2025-02-05 16:38:36 |
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Unit 1* 'wlc-1'
------------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/3224 130 Disabled Master -- 1
2 192.168.1.1/32 130 Disabled Master -- 1
3 192.168.2.1/32 130 Disabled Master -- 1
Unit 2 'wlc-2'
------------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/3224 120 Disabled Backup Disabled Master -- 1
2 192.168.1.1/32 120 Disabled Backup Master -- 1
3 192.168.2.1/32 120 Disabled Backup Master -- 1
|
Настройка WLC (схема 1+2)
...
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 873
wlc-1(config-object-group-service)# exit |
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются журналы WLC:
| Блок кода |
|---|
|
wlc-1(config)# object-group service journal_sync |
Укажите порт, который используется для синхронизации журналов WLC:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit |
...
Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGREжурналы WLC:
| Блок кода |
|---|
|
wlc-1(config)# object-group service softgrejournal_controllersync |
Укажите порт, который используется для синхронизации туннелей SoftGREжурналов WLC:
| Блок кода |
|---|
|
wlc-1(config-object-group-service)# port-range 13375432
wlc-1(config-object-group-service)# exit |
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_SRC |
...
| Блок кода |
|---|
|
wlc-1(config)# crypto-sync |
Укажите режим работы:
| Блок кода |
|---|
|
wlc-1(config-crypto-sync)# remote-delete |
...
Включите работу синхронизации сертификатов:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 11 |
...
Укажите действие правила – разрешение:
...
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов, SoftGRE-туннелей и журналов WLC:
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 4 |
Укажите действие правила – разрешениеВключите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# action permit |
Укажите совпадение по протоколу TCP:
| Блок кода |
|---|
|
enable
wlc-1(config-security-zone-pair-rule)# match protocol tcpexit
wlc-1(config-security-zone-pair)# exit |
Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов и журналов WLCУкажите совпадение по порту назначения, в качестве которого выступает object-group:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# matchsecurity destinationzone-portpair object-group softgre_controllerSYNC self |
Включите правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit |
...
Для настройки правил зон безопасности создайте профиль для порта Firewall-failover:
| Блок кода |
|---|
|
wlc-1(config)# object-group service FAILOVER |
...
| Блок кода |
|---|
|
wlc-1(config)# security zone-pair SYNC self |
Создайте новое правило:
| Блок кода |
|---|
|
wlc-1(config-security-zone-pair)# rule 5 |
...
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# sync-type multicast |
...
Укажите номер UDP-порта службы резервирования сессий Firewall:
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
unit 3
mac-address 68:13:e2:7e:80:46
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
hostname wlc-3 unit 3
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
ip address-range 198.51.100.252 unit 3
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.252 unit 1
ip address-range 198.51.100.254 unit 2
ip address-range 198.51.100.252 unit 2
ip address-range 198.51.100.253 unit 3
ip address-range 198.51.100.254 unit 3
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
priority 130 unit 1
priority 120 unit 2
priority 110 unit 3
group 1
preempt disable
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
interface gigabitethernet 3/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 3/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 3/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 3/0/4
mode switchport
exit
interface tengigabitethernet 3/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 3/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 80
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 90
action permit
match protocol gre
enable
exit
rule 100
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
rule 4
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 5
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
exit
rule 10
action permit
match protocol tcp
match destination-port object-group journal_sync
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Unit 1* 'wlc-1'
------------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/3224 130 Disabled Master -- 1
2 192.168.1.1/32 130 Disabled Master -- 1
3 192.168.2.1/32 130 Disabled Master -- 1
Unit 2 'wlc-2'
------------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/3224 120 Disabled Backup -- 1
2 192.168.1.1/32 120 Disabled Backup -- 1
3 192.168.2.1/32 120 Disabled Backup -- 1
Unit 3 'wlc-3'
------------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/3224 110 Disabled Backup -- 1
2 192.168.1.1/32 110 Disabled Backup -- 1
3 192.168.2.1/32 110 Disabled Backup -- 1
|
...
Настройка System prompt
System prompt позволяет отобразить оперативное состояние кластера непосредственно в строке приглашения CLI устройства, что упрощает получение актуальной информации.
Варианты настройки system prompt, включая доступные параметры и синтаксис команды, приведены в разделе Настройка общесистемных параметров.
Пример настройки
Задача:
Настроить system prompt в кластере маршрутизаторов wlc-1 и wlc-2 со следующими параметрами:
...
