- Создал(а) Филатов Илья Олегович июн. 25, 2025
Полная конфигурация маршрутизаторов ESR
ESR-1 Развернуть исходный код
object-group network Customers_POOL
ip prefix 10.100.0.0/24
exit
object-group network Mgmt_POOL
ip prefix 10.250.0.0/24
exit
object-group network PROXY
ip address-range 203.0.113.3
exit
object-group network Public_POOL
ip address-range 203.0.113.2-203.0.113.126
exit
syslog max-files 3
syslog file-size 512
syslog sequence-numbers
syslog file flash:syslog/default
severity info
exit
security zone Untrusted
exit
security zone MGMT
exit
security zone Customer
exit
route-map BGP_IN
rule 10
match ip address 0.0.0.0/0
exit
rule 20
action deny
exit
exit
router bgp 64515
neighbor 203.0.113.1
remote-as 65500
update-source gigabitethernet 1/0/1
fall-over bfd
address-family ipv4 unicast
route-map BGP_IN in
enable
exit
enable
exit
enable
exit
interface port-channel 1
exit
interface port-channel 1.250
description "MGMT"
security-zone MGMT
ip address 10.250.0.1/24
exit
interface port-channel 1.100
security-zone Customer
ip address 10.100.0.253/24
vrrp id 1
vrrp ip 10.100.0.1/24
vrrp priority 101
vrrp priority track 1 decrement 10
vrrp group 1
vrrp preempt disable
vrrp
exit
interface gigabitethernet 1/0/1
description "ISP1"
security-zone Untrusted
ip address 203.0.113.2/25
ip nat proxy-arp PROXY
exit
interface gigabitethernet 1/0/3
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
interface gigabitethernet 1/0/4
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
snmp-server
snmp-server community private rw
security zone-pair MGMT self
rule 10
action permit
match protocol tcp
match destination-port port-range 22
enable
exit
rule 20
action permit
match protocol udp
match destination-port port-range 161
enable
exit
exit
security zone-pair Customer self
rule 10
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
exit
security zone-pair Untrusted self
rule 10
action permit
match protocol tcp
match destination-port port-range 179
enable
exit
rule 20
action permit
match protocol udp
match destination-port port-range 3784
enable
exit
exit
security zone-pair Customer Untrusted
rule 10
action permit
match source-address object-group Customers_POOL
enable
exit
exit
nat source
pool Customer_Public_IP
ip address-range 203.0.113.3
exit
ruleset SNAT
to zone Untrusted
rule 10
match source-address object-group Customers_POOL
action source-nat pool Customer_Public_IP
enable
exit
exit
exit
ip sla
ip sla logging status
ip sla test 1
icmp-echo 8.8.4.4 source-ip 203.0.113.2 num-packets 5
enable
exit
ip sla test 2
icmp-echo 77.88.44.242 source-ip 203.0.113.2 num-packets 5
enable
exit
ip sla schedule all life forever start-time now
ip ssh server
archive
type local
by-commit
count-backup 10
exit
lldp enable
ntp enable
ntp object-group serve-only Mgmt_POOL
ntp server 198.51.100.100
exit
ntp server 198.51.100.101
exit
track 1
description "Check Internet"
track sla test 1 mode state fail
track sla test 2 mode state fail
enable
exit
ESR-2 Развернуть исходный код
object-group network Customers_POOL
ip prefix 10.100.0.0/24
exit
object-group network Mgmt_POOL
ip prefix 10.250.0.0/24
exit
object-group network PROXY
ip address-range 203.0.113.130
exit
object-group network Public_POOL
ip address-range 203.0.113.130-203.0.113.254
exit
syslog max-files 3
syslog file-size 512
syslog sequence-numbers
syslog file flash:syslog/default
severity info
exit
security zone Untrusted
exit
security zone MGMT
exit
security zone Customer
exit
route-map BGP_IN
rule 10
match ip address 0.0.0.0/0
exit
rule 20
action deny
exit
exit
router bgp 64515
neighbor 203.0.113.129
remote-as 65400
update-source gigabitethernet 1/0/1
fall-over bfd
address-family ipv4 unicast
route-map BGP_IN in
enable
exit
enable
exit
enable
exit
interface port-channel 1
exit
interface port-channel 1.250
description "MGMT"
security-zone MGMT
ip address 10.250.0.2/24
exit
interface port-channel 1.100
security-zone Customer
ip address 10.100.0.254/24
vrrp id 1
vrrp ip 10.100.0.1/24
vrrp group 1
vrrp preempt disable
vrrp
exit
interface gigabitethernet 1/0/1
description "ISP2"
security-zone Untrusted
ip address 203.0.113.130/25
ip nat proxy-arp PROXY
exit
interface gigabitethernet 1/0/3
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
interface gigabitethernet 1/0/4
mode switchport
channel-group 1 mode auto
lldp transmit
lldp receive
exit
snmp-server
snmp-server community private rw
security zone-pair MGMT self
rule 10
action permit
match protocol tcp
match destination-port port-range 22
enable
exit
rule 20
action permit
match protocol udp
match destination-port port-range 161
enable
exit
exit
security zone-pair Customer self
rule 10
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
exit
security zone-pair Untrusted self
rule 10
action permit
match protocol tcp
match destination-port port-range 179
enable
exit
rule 20
action permit
match protocol udp
match destination-port port-range 3784
enable
exit
exit
security zone-pair Customer Untrusted
rule 10
action permit
match source-address object-group Customers_POOL
enable
exit
exit
nat source
pool Customer_Public_IP
ip address-range 203.0.113.130
exit
ruleset SNAT
to zone Untrusted
rule 10
match source-address object-group Customers_POOL
action source-nat pool Customer_Public_IP
enable
exit
exit
exit
ip ssh server
archive
type local
by-commit
count-backup 10
exit
lldp enable
ntp enable
ntp object-group serve-only Mgmt_POOL
ntp server 198.51.100.100
exit
ntp server 198.51.100.101
exit
Полная конфигурация коммутаторов MES
MES_Ядро_1 Развернуть исходный код
vlan database vlan 100-101,150,250 exit ! vpc domain 1 peer detection peer detection ipaddr 1.1.1.2 1.1.1.1 peer keepalive role priority 1 peer link port-channel 1 exit ! vpc ! vpc group 2 domain 1 vpc-port port-channel 2 exit ! vpc group 3 domain 1 vpc-port port-channel 3 exit ! vpc group 4 domain 1 vpc-port port-channel 4 exit ! vpc group 5 domain 1 vpc-port port-channel 5 exit ! ! interface TenGigabitEthernet1/0/1 ip address 1.1.1.1 255.255.255.252 exit ! interface TenGigabitEthernet1/0/2 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/3 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/4 channel-group 2 mode auto exit ! interface TenGigabitEthernet1/0/5 channel-group 3 mode auto exit ! interface TenGigabitEthernet1/0/6 channel-group 4 mode auto exit ! interface TenGigabitEthernet1/0/7 channel-group 5 mode auto exit ! interface range Port-Channel1-5 switchport mode general switchport general allowed vlan add 100-101,150,250 tagged exit ! interface vlan 100 name Internet exit ! interface vlan 101 name VoIP exit ! interface vlan 150 name Guest exit ! interface vlan 250 name Management ip address 10.250.0.10 255.255.255.0 exit ! ! end
MES_Ядро_2 Развернуть исходный код
vlan database vlan 100-101,150,250 exit ! vpc domain 1 peer detection peer detection ipaddr 1.1.1.1 1.1.1.2 peer keepalive role priority 1 peer link port-channel 1 exit ! vpc ! vpc group 2 domain 1 vpc-port port-channel 2 exit ! vpc group 3 domain 1 vpc-port port-channel 3 exit ! vpc group 4 domain 1 vpc-port port-channel 4 exit ! vpc group 5 domain 1 vpc-port port-channel 5 exit ! ! interface TenGigabitEthernet1/0/1 ip address 1.1.1.2 255.255.255.252 exit ! interface TenGigabitEthernet1/0/2 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/3 channel-group 1 mode auto exit ! interface TenGigabitEthernet1/0/4 channel-group 2 mode auto exit ! interface TenGigabitEthernet1/0/5 channel-group 3 mode auto exit ! interface TenGigabitEthernet1/0/6 channel-group 4 mode auto exit ! interface TenGigabitEthernet1/0/7 channel-group 5 mode auto exit ! interface range Port-Channel1-5 switchport mode general switchport general allowed vlan add 100-101,150,250 tagged exit ! interface vlan 100 name Internet exit ! interface vlan 101 name VoIP exit ! interface vlan 150 name Guest exit ! interface vlan 250 name Management ip address 10.250.0.11 255.255.255.0 exit ! ! end
Перед базовой конфигурацией коммутаторов уровня агрегации (в рассматриваемой схеме) необходимо настроить стекирование.
После конфигурации cтековых настроек необходимо перезагрузить устройства, чтобы настройки применились. Перезагрузку лучше начать с юнита 1.
Конфигурация MES_Агрегация_1 Развернуть исходный код
stack configuration unit-id 1 ! stack configuration links te1-2 ! stack nsf
Конфигурация MES_Агрегация_2 Развернуть исходный код
stack configuration unit-id 2 ! stack configuration links te1-2 ! stack nsf
MES_Агрегация_Stack Развернуть исходный код
vlan database vlan 100-101,150,250 exit ! interface GigabitEthernet1/0/1 channel-group 1 mode auto exit ! interface GigabitEthernet1/0/2 channel-group 2 mode auto exit ! interface GigabitEthernet1/0/3 channel-group 3 mode auto exit ! interface GigabitEthernet1/0/4 channel-group 4 mode auto exit ! interface GigabitEthernet2/0/1 channel-group 1 mode auto exit ! interface GigabitEthernet2/0/2 channel-group 2 mode auto exit ! interface GigabitEthernet2/0/3 channel-group 3 mode auto exit ! interface GigabitEthernet2/0/4 channel-group 4 mode auto exit ! interface range Port-Channel1-4 switchport mode general switchport general allowed vlan add 100-101,150,250 tagged switchport forbidden default-vlan exit ! interface vlan 100 name Internet exit ! interface vlan 101 name VoIP exit ! interface vlan 150 name Guest exit ! interface vlan 250 name Management ip address 10.250.0.20 255.255.255.0 exit ! ! end
MES_Доступ Развернуть исходный код
vlan database
vlan 100-101,150,250
exit
!
voice vlan id 101
voice vlan state oui-enabled
voice vlan oui-table add 6813e2
voice vlan oui-table add ecb1e0
!
dot1x system-auth-control
!
lldp med network-policy 1 voice vlan 101 vlan-type tagged up 4
!
loopback-detection enable
loopback-detection mode multicast-mac-addr
loopback-detection interval 1
!
errdisable recovery cause loopback-detection
!
ip dhcp snooping
ip dhcp snooping vlan 100
!
!
ip arp inspection
ip arp inspection vlan 100
!
radius-server host 100.100.100.1 key {секретный ключ}
!
ip ssh server
!
no ip telnet server
!
interface range gigabitethernet1/0/1-24
dot1x host-mode multi-sessions
loopback-detection enable
dot1x guest-vlan enable
dot1x authentication 802.1x mac
dot1x radius-attributes vendor-specific data-filter
dot1x radius-attributes vlan static
dot1x port-control auto
ip dhcp snooping limit clients 2
storm-control broadcast kbps 2048 trap
storm-control unicast kbps 2048 trap
storm-control multicast kbps 2048 trap
spanning-tree disable
spanning-tree bpdu filtering
switchport mode general
switchport general allowed vlan add 100 untagged
switchport general pvid 100
switchport protected-port
lldp med enable network-policy
lldp med network-policy add 1
voice vlan enable
exit
!
interface tengigabitethernet1/0/1
channel-group 1 mode auto
exit
!
interface tengigabitethernet1/0/2
channel-group 1 mode auto
exit
!
interface Port-channel1
ip arp inspection trust
ip dhcp snooping trust
switchport mode general
switchport general allowed vlan add 100-101,150,250 tagged
switchport forbidden default-vlan
exit
!
interface vlan 100
name Internet
exit
!
interface vlan 101
name VoIP
exit
!
interface vlan 150
name Guest
exit
!
interface vlan 250
name Management
ip address 10.250.0.30 255.255.255.0
exit
!
!
end
- Нет меток