...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcsynclink |
|---|
| simpleViewer | false |
|---|
| width | links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 765 |
|---|
| revision | 1 |
|---|
|
...
| Блок кода |
|---|
|
wlc-1(config)# no bridge 1 |
Создайте VLAN 2449, который будет выступать как vlan управления для ТД:
| Блок кода |
|---|
|
wlc-1(config)# vlan 2449
|
...
Укажите параметр, который отвечает за постоянное состояние UP:
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# ip address 192.168.1.3/24 unit 1
wlc-1(config-bridge)# ip address 192.168.1.2/24 unit 2
|
Настройте VRRP:
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp id 2
wlc-1(config-bridge)# vrrp ip 192.168.1.1/32
wlc-1(config-bridge)# vrrp group 1
wlc-1(config-bridge)# vrrp
|
Отключите работу spanning-tree и включите работу Bridge:
...
| Примечание |
|---|
В версии ПО 1.30.2 в качестве cluster-интерфейса поддержан только bridge. |
Укажите, к какому VLAN относится bridge, и зону безопасности:
| Блок кода |
|---|
|
wlc-1(config-bridge)# vlan 1
wlc-1(config-bridge)# security-zone SYNC |
Далее укажите IP-адреса:
| Блок кода |
|---|
|
wlc-1(config-bridge)# ip address 198.51.100.254/24 unit 1
wlc-1(config-bridge)# ip address 198.51.100.253/24 unit 2 |
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlc |
|---|
| simpleViewer | false |
|---|
| width | links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 1049 |
|---|
| revision | 1 |
|---|
|
...
| Блок кода |
|---|
|
wlc-1(config-object-group-network)# ip address-range 198.51.100.254 unit 1
wlc-1(config-object-group-network)# ip address-range 198.51.100.253 unit 2
wlc-1(config-object-group-network)# exit
|
Сконфигурируйте object-group для настройки failover-сервисов SYNC_SRC:
| Блок кода |
|---|
|
wlc-1(config)# object-group network SYNC_DST |
...
| Блок кода |
|---|
|
wlc-1(config-bridge)# vrrp |
...
Отключите работу spanning-tree:
...
| Блок кода |
|---|
|
wlc-1(config-failover)# localremote-address object-group SYNC_DST |
...
Перейдите к настройке настройке Firewall-failover.:
| Блок кода |
|---|
|
wlc-1(config)# ip firewall failover |
...
| Блок кода |
|---|
|
wlc-1(config-dhcp-server)# no address-range 192.168.1.2-192.168.1.254
wlc-1(config-dhcp-server)# address-range 192.168.1.4-192.168.1.254
wlc-1(config-dhcp-server)# exit |
Перейдите в конфигурирование пула DHCP-сервера для клиентов:
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
object-group service FAILOVER
port-range 9999
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp id 2
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
rule 4
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 5
action permit
match protocol udp
match destination-port object-group FAILOVER
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
...
Статус синхронизации сервисов можно посмотреть командой:
...
| Блок кода |
|---|
|
wlc-1# show vrrp
Virtual router Virtual IP Priority Preemption State Synchronization group ID
-------------- --------------------------------- -------- ---------- ------ -------------------------
1 198.51.100.1/32 100 Enabled Master 1
2 192.168.1.1/32 100 Enabled Master 1
3 192.168.2.1/32 100 Enabled Master 1
|
Настройка MultiWANНастройка MultiWAN
Технология MultiWAN позволяет организовать отказоустойчивое соединение с резервированием линков от нескольких провайдеров, а также решает проблему балансировки трафика между резервными линками.
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcwan |
|---|
| simpleViewer | false |
|---|
| width | links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 1271 |
|---|
| revision | 1 |
|---|
|
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
vlan 20
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
bridge 2
description "ISP1_ISP2"
vlan 2
security-zone untrusted
ip address 192.0.3.4/24 unit 1
ip address 192.0.3.3/24 unit 2
vrrp id 4
vrrp ip 192.0.3.2/24
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp id 2
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 20
description "ISP1_ISP2"
vlan 20
security-zone untrusted
ip address 192.0.4.4/24 unit 1
ip address 192.0.4.3/24 unit 2
vrrp id 4
vrrp ip 192.0.4.2/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport trunk allowed vlan add 2,20
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport trunk allowed vlan add 2,20
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
Создайте список Создайте список IP-адресов для проверки целостности соединения:
...
| Блок кода |
|---|
|
ESR-1# show wan interfaces status
Interface Nexthop Status Uptime/Downtime
(d,h:m:s)
-------------------- ----------------------- -------- --------------------
br2 192.0.3.1 Active 00,00:00:44
br20 192.0.4.1 Active 00,00:00:45 |
Настройка IPsec VPN
IPsec — это набор протоколов, обеспечивающих защиту данных, передаваемых по протоколу IP. Данный набор протоколов позволяет осуществлять подтверждение подлинности (аутентификацию), проверку целостности и шифрование IP-пакетов, а также включает в себя протоколы для защищённого обмена ключами в сети Интернет.
IPsec представляет собой совокупность протоколов, предназначенных для защиты данных, передаваемых по IP. Данный набор обеспечивает аутентификацию, проверку целостности и шифрование IP-пакетов, а также включает механизмы для безопасного обмена ключами в сети Интернет.
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcipsec |
|---|
| simpleViewer | false | width |
|---|
| links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 1181 |
|---|
| revision | 1 |
|---|
|
Схема реализации IPsec VPN
Исходная конфигурация кластера:
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address 192.0.3.2/24 unit 1
ip address 192.0.3.1/24 unit 2
vrrp id 4
vrrp ip 203.0.113.252/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp id 2
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
Решение:
Создайте профиль ISAKMP-портов, необходимых для работы протокола IPsec, включающий разрешение UDP-пакетов на порту 500 (а также на порту 4500 для поддержки NAT-T при необходимости):
...
| Блок кода |
|---|
|
wlc-1(config)# security ipsec vpn ipsec
wlc-1(config-ipsec-vpn)# ike establish-tunnel route
wlc-1(config-ipsec-vpn)# ike gateway ike_gw
wlc-1(config-ipsec-vpn)# ike ipsec-policy ipsec_pol
wlc-1(config-ipsec-vpn)# enable
wlc-1(config-ipsec-vpn)# exit |
...
Добавьте статический маршрут до встречной клиентской подсети через VTI туннель:
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcfirewall |
|---|
| simpleViewer | false |
|---|
| width | links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 986 |
|---|
| revision | 1 |
|---|
|
...
| Блок кода |
|---|
|
wlc-1(config)# object-group service FAILOVER
wlc-1(config-object-group-service)# port-range 9999
wlc-1(config-object-group-service)# exit |
Создайте разрешающее правило для зоны безопасности SYNC, разрешив прохождение трафика Firewall failover:
...
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# port 9999 |
Включите резервирование Включите резервирование сессий Firewall:
| Блок кода |
|---|
|
wlc-1(config-firewall-failover)# enable
wlc-1(config-firewall-failover)# exit |
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcdhcp |
|---|
| simpleViewer | false |
|---|
| width | links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 986 |
|---|
| revision | 1 |
|---|
|
...
| Примечание |
|---|
Для работы резервирования DHCP-сервера необходимо иметь преднастройки ip failover и object-group network, указанные в конфигурации кластера выше. |
Перейдите к настройке резервирования DHCP-сервера:
...
| Блок кода |
|---|
|
wlc-1# show high-availability state
DHCP server:
VRF: --
Mode: Active-Standby
State: Successful synchronization
Last synchronization: 2025-01-09 12:01:21
crypto-sync:
State: Disabled
Firewall sessions and NAT translations:
State: Disabled |
...
Выданные адреса DHCP можно посмотреть с помощью команды:
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcsnmp |
|---|
| simpleViewer | false | width |
|---|
| links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 986 |
|---|
| revision | 1 |
|---|
|
Схема реализации SNMP
Исходная конфигурация кластера:
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp id 2
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
Решение:
Создайте профиль SNMP-портов, предоставляющий доступ в MGMT зону безопасности:
...
| Блок кода |
|---|
|
wlc-1(config)# snmp-server
wlc-1(config)# snmp-server community cluster rw |
Благодаря данной настройке обеспечивается возможность централизованного мониторинга и управления как отдельными устройствами, так и устройством, выполняющим роль VRRP Master:
| Блок кода |
|---|
|
cluester@cluester-System:~$ snmpset -v2c -c cluster 192.168.1.3 .1.3.6.1.2.1.1.5.0 s 'wlc-1'
SNMPv2-MIB::sysName.0 = STRING: wlc-1
cluester@cluester-System:~$ snmpset -v2c -c cluster 192.168.1.2 .1.3.6.1.2.1.1.5.0 s 'wlc-2'
SNMPv2-MIB::sysName.0 = STRING: wlc-2
cluester@cluester-System:~$ snmpset -v2c -c cluster 192.168.1.1 .1.3.6.1.2.1.1.5.0 s 'VRRP-Master'
SNMPv2-MIB::sysName.0 = STRING: VRRP-Master |
Настройка Source Настройка Source NAT
Source NAT (SNAT) представляет собой механизм, осуществляющий замену исходного IP-адреса в заголовках IP-пакетов, проходящих через сетевой шлюз. При передаче трафика из внутренней (локальной) сети во внешнюю (публичную) сеть, исходный адрес заменяется на один из назначенных публичных IP-адресов шлюза. В ряде случаев осуществляется дополнительное преобразование исходного порта (NATP – Network Address and Port Translation), что обеспечивает корректное направление обратного трафика. При поступлении пакетов из публичной сети в локальную происходит обратная процедура – восстановление оригинальных значений IP-адреса и порта для обеспечения корректной маршрутизации внутри внутренней сети.
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcsourcenat |
|---|
| simpleViewer | false | width |
|---|
| links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 1521 |
|---|
| revision | 1 |
|---|
|
...
| Блок кода |
|---|
|
wlc-1(config)# nat source
wlc-1(config-snat)# ruleset SNAT
wlc-1(config-snat-ruleset)# to zone untrusted
wlc-1(config-snat-ruleset)# rule 1
wlc-1(config-snat-rule)# match source-address object-group INTERNET_USERS
wlc-1(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS
wlc-1(config-snat-rule)# enable
wlc-1(config-snat-rule)# exit
wlc-1(config-snat-ruleset)# exit
wlc-1(config-snat)# exit |
Просмотр таблицы NAT-трансляций осуществляется посредством следующей команды:
...
| draw.io Diagram |
|---|
| border | true |
|---|
| diagramName | wlcdstnat |
|---|
| simpleViewer | false |
|---|
| width | links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 1521 |
|---|
| revision | 1 |
|---|
|
...
| Раскрыть |
|---|
| Блок кода |
|---|
cluster
cluster-interface bridge 1
unit 1
mac-address e4:5a:d4:a0:be:35
exit
unit 2
mac-address a8:f9:4b:af:35:84
exit
enable
exit
hostname wlc-1
hostname wlc-1 unit 1
hostname wlc-2 unit 2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
object-group network SYNC_SRC
ip address-range 198.51.100.254 unit 1
ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
ip address-range 198.51.100.253 unit 1
ip address-range 198.51.100.254 unit 2
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text password
network 192.168.1.0/24
exit
nas local
key ascii-text password
network 127.0.0.1/32
exit
domain default
user test
password ascii-text password1
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text password
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit
bridge 1
vlan 1
security-zone SYNC
ip address 198.51.100.254/24 unit 1
ip address 198.51.100.253/24 unit 2
vrrp id 1
vrrp ip 198.51.100.1/24
vrrp group 1
vrrp
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address 192.0.3.2/24 unit 1
ip address 192.0.3.1/24 unit 2
vrrp id 4
vrrp ip 203.0.113.252/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24 unit 1
ip address 192.168.2.2/24 unit 2
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
bridge 5
vlan 2449
security-zone trusted
ip address 192.168.1.3/24 unit 1
ip address 192.168.1.2/24 unit 2
vrrp id 2
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 2/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
mode switchport
spanning-tree disable
exit
interface gigabitethernet 2/0/4
mode switchport
exit
interface tengigabitethernet 2/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address object-group SYNC_SRC
remote-address object-group SYNC_DST
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair SYNC self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol ah
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text password
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text password
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.110.0.65
minpoll 1
maxpoll 4
exit
crypto-sync
remote-delete
enable
exit
|
|
Решение:
Создайте профиль адреса сервера из WAN-сети, с которого будет приниматься запросы:
...
| Блок кода |
|---|
|
wlc-1(config-dnat)# ruleset DNAT_SERVER_DMZ
wlc-1(config-dnat-ruleset)# from zone untrusted
wlc-1(config-dnat-ruleset)# rule 1
wlc-1(config-dnat-rule)# match protocol tcp
wlc-1(config-dnat-rule)# match destination-address object-group INTERNAL
wlc-1(config-dnat-rule)# match destination-port object-group SERVER_DMZ
wlc-1(config-dnat-rule)# action destination-nat pool DMZ
wlc-1(config-dnat-rule)# enable
wlc-1(config-dnat-rule)# exit
wlc-1(config-dnat-ruleset)# exit
wlc-1(config-dnat)# exit |
Добавьте правилоДобавьте правило, которое проверяет применение правил исключительно к пакетам, поступающим из зоны WAN. Набор правил включает требования соответствия по адресу назначения (match destination-address) и протоколу. Дополнительно в наборе определено действие (action destination-nat), которое применяется к данным, удовлетворяющим указанным критериям:
...
Просмотр таблицы NAT-трансляций осуществляется посредством следующей команды:
| Блок кода |
|---|
|
wlc-1# show ip nat translations
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- --------------------- --------------------- --------------------- --------------------- ---------- ----------
tcp 203.0.113.1:41296 192.168.1.10:22 203.0.113.1:41296 203.0.113.252:22 -- -- |
