Имеется 2 контроллера WLC в составе кластера Active/Standby с firewall failover для резервирования с резервированием функционала WLC. Необходимо обновить ПО без прерывания сервисов в схеме.
| Раскрыть |
|---|
| title | Конфигурация кластера |
|---|
|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service journal_sync
port-range 5432
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp 1
ip 198.51.100.1/24
group 1
enable
exit
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp 3
ip 192.168.2.1/32
group 1
timers garp refresh 60
enable
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp 2
ip 192.168.1.1/32
group 1
enable
exit
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
rule 4
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 5
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
exit
rule 10
action permit
match protocol tcp
match destination-port object-group journal_sync
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.5-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
...
Необходимо подключиться к обновляемому устройству по консольному кабелю или, предварительно настроив доступ по SSH (Подробнее см. в разделе Настройка доступа SSH, Telnet справочника команд CLI).)
Загружаем Загрузите ПО (firmware-файл) на сервисный маршрутизатор ESR c использованием одного из протоколов удаленной загрузки файлов.
| Блок кода |
|---|
wlc-2# copy tftp://<tftp-server-ip>:/<firmware-file> system:firmware
|******************************************| 100% (0B) Firmware updated successfully. |
Далее необходимо выбрать образ ПО обновленной версии для следующей загрузки. Перезагрузить сервисный маршрутизатор.
| Блок кода |
|---|
wlc-2# show bootvar
Image Version Date Status After reboot
----- ------------------------- -------------------- ------------ ------------
1 1.30.8 build 2025-10-24 14:40:09 Active *
3[6c22bcba93]
2 1.36.1 build 2026-01-30 17:39:02 Not Active
16[e144f1acf2]
wlc-2# boot system inactive
This command cannot be interrupted, do not turn off device during process.
Continue? (y/N): y
2026-02-26T10:04:03+07:00 %FILE_MGR-I-INFO: operation started: 'boot system image-2' (index: 5, origin: CLI)
2026-02-26T10:04:19+07:00 %FIRMWARE-I-INFO: Writing data...
2026-02-26T10:04:35+07:00 %FILE_MGR-I-INFO: operation is finished: 'boot system image-2' (index: 5, origin: CLI)
Boot image set successfully.
Successfully updated: uboot
wlc-2# reload system
Do you really want to reload system now? (y/N): y |
После перезагрузки видим будет показано сообщение о том, что наши версии с мастером не совпадaют:
| Блок кода |
|---|
2026-02-26T10:07:08+07:00 %CLUSTER-W-SYNC_FIRMWARE_WARN: unit 1 'wlc-1' SW version not synced with local |
Также, проверить синхронизацию можно командой командой show cluster sync status:
| Блок кода |
|---|
System part Synced
---------------------- ------
candidate-config Yes
running-config Yes
SW version No
licence Yes
licence (After reboot) Yes
date Yes |
2. Теперь для проверки корректности работы на новом ПО необходимо перевести наш Backup-маршрутизатор в активный, т.е. перенести нагрузку на него.
Для этого применяем примените команду clear vrrp-state на Active на Active маршрутизаторе.
| Блок кода |
|---|
wlc-1# clear vrrp-state
2026-02-26T10:10:34+07:00 %VRRP-I-INSTANCE: VRRP5 Entering BACKUP state
2026-02-26T10:10:34+07:00 %VRRP-I-INSTANCE: VRRP9 Entering BACKUP state
2026-02-26T10:10:34+07:00 %VRRP-I-INSTANCE: VRRP7 Entering BACKUP state
2026-02-26T10:10:34+07:00 %VRRP-I-INSTANCE: VRRP6 Entering BACKUP state |
УбеждаемсяУбедитесь, что сменилась активная роль в кластере командой — командой show cluster status:
| Блок кода |
|---|
wlc-30-1# sh cluster status
Unit Hostname Role MAC address State IP address
---- -------------------- ---------- ----------------- -------------- ---------------
1* wlc-1 Standby e4:5a:d4:a0:be:35 Joined 198.51.100.254
2 wlc-2 Active a8:f9:4b:af:35:84 Joined 198.51.100.253 |
Также можно убедиться, что наши сервисы не прервались и мастерство сменилось командой — командой show high-availability state:
| Блок кода |
|---|
wlc-1# sh high-availability state
Softgre-controller:
VRRP role: Backup
AP Tunnels:
State: Synchronized
Last synchronization: 2026-02-26 10:20:11
DHCP server:
VRF: --
Mode: Active-Standby
State: Successful synchronization
Last synchronization: 2026-02-26 10:20:10
crypto-sync:
State: Successful synchronization
Last synchronization: 2026-02-26 10:20:10
Firewall sessions and NAT translations:
State: Disabled
Last state change: --
WLC:
State: Successful synchronization
Last synchronization: 2026-02-26 10:20:08
WLC database:
State: Successful synchronization
Last synchronization: 2026-02-26 10:20:12
WEB profiles:
State: Disabled
Last state change: -- |
3. В случае если весь требуемый функционал на актуальной версии ПО работает корректно, обновляем обновите оставшееся устройство командой sync cluster system force на active force на active устройстве, она начнет процесс синхронизации: автоматически обновит ПО standby устройства и перезагрузит.
| Блок кода |
|---|
wlc-30-2# sync cluster system force
Unit 1 'wlc-30-1': system synchronization was started
2026-02-26T10:21:02+07:00 %CLUSTER-I-SYNC_SYSTEM_INFO: from unit 1 'wlc-30-1': start system synchronization with Active unit
2026-02-26T10:21:04+07:00 %FILE_MGR-I-INFO: operation started: 'copy system:firmware flash:firmware' (index: 1, origin: esrfs)
2026-02-26T10:21:04+07:00 %FILE_MGR-I-INFO: operation is finished: 'copy system:firmware flash:firmware' (index: 1, origin: esrfs)
2026-02-26T10:21:05+07:00 %FILE_MGR-I-INFO: operation started: 'copy system:firmware flash:firmware' (index: 2, origin: esrfs)
2026-02-26T10:21:05+07:00 %FILE_MGR-I-INFO: operation is finished: 'copy system:firmware flash:firmware' (index: 2, origin: esrfs)
2026-02-26T10:22:15+07:00 %CLUSTER-I-SYNC_SYSTEM_INFO: from unit 1 'wlc-30-1': system will be rebooted to apply all changes |
Если Если необходимо обратно вернуть мастерство - – снова применяем команду примените команду clear vrrp-state на Active маршрутизаторе.
4. В противном случае, возвращаем верните мастерство на устройство, которое работает на старом ПО и снова выполняем выполните команду sync cluster system force для отката ПО на втором устройстве.
