Конфигурация отказоустойчивого переключения между двумя провайдерами и NAT-Трансляции внутренней сети на Juniper SRX 220H cluster и Cisco 1941
Введение.
Есть два провайдера и внутренняя сеть INTERNAL_NET/24.
Задача:
сконфигурировать на Juniper SRX 220H и Cisco 1941 NAT-трансляцию внутренней сети и отказоустойчивое переключение между провайдерами.
Решение на Juniper SRX 220H Cluster. (При конфигурации не на кластере имена интерфейсов будут ge-0/0/N)
1. Необходимые требования: наличие версии JunOs не ниже 11
2. Конфигурация двух security zones на Juniper:
{primary:node1}[edit]
set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone ISPs interfaces reth1.0
set security zones security-zone Internal interfaces reth2.0
set security zones security-zone Internal address-book address INTERNAL_NET INTERNAL_NET/24
3. Конфигурация security policies
{primary:node1}[edit]
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match source-address INTERNAL_NET
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match destination-address any
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match application any
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs then permit
4. Конфигурация шлюза по умолчанию.
{primary:node1}[edit]
set routing-options static route 0.0.0.0/0 next-hop IP_DG_ISP-1
set routing-options static route 0.0.0.0/0 qualified-next-hop IP_DG_ISP-2 preference 100
5. Конфигурация мониторинга провайдеров. Для примера будем мониториться шлюзы по умолчанию.
{primary:node1}[edit]
set services rpm probe First_ISP-Probe test First_ISP_GW target address IP_DG_ISP-1
set services rpm probe First_ISP-Probe test First_ISP_GW probe-count 10
set services rpm probe First_ISP-Probe test First_ISP_GW probe-interval 5
set services rpm probe First_ISP-Probe test First_ISP_GW test-interval 10
set services rpm probe First_ISP-Probe test First_ISP_GW thresholds successive-loss 10
set services rpm probe First_ISP-Probe test First_ISP_GW thresholds total-loss 5
set services rpm probe First_ISP-Probe test First_ISP_GW destination-interface reth0.0
set services rpm probe First_ISP-Probe test First_ISP_GW next-hop IP_DG_ISP-1
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW target address IP_DG_ISP-2
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW probe-count 10
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW probe-interval 5
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW test-interval 10
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW thresholds successive-loss 10
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW thresholds total-loss 5
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW destination-interface reth1.0
set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW next-hop IP_DG_ISP-2
set services ip-monitoring policy First_ISP-Tr match rpm-probe First_ISP-Probe
set services ip-monitoring policy First_ISP-Tr then preferred-route route 0.0.0.0/0 next-hop IP_DG_ISP-2
set services ip-monitoring policy Second_ISP-tr match rpm-probe Second_ISP-Probe
set services ip-monitoring policy Second_ISP-tr then preferred-route route 0.0.0.0/0 next-hop IP_DG_ISP-1
6. Конфигурация NAT
{primary:node1}[edit]
set security nat source rule-set From_Internal_to_ISPs from zone Internal
set security nat source rule-set From_Internal_to_ISPs to zone ISPs
set security nat source rule-set From_Internal_to_ISPs rule NAT_INTERNAL match source-address INTERNAL_NET/24
set security nat source rule-set From_Internal_to_ISPs rule NAT_INTERNAL then source-nat interface
7. Сохраним и применим созданную конфигурацию
{primary:node1}[edit]
commit
Решение на Cisco 1941.
1. Необходимые требования: наличие ios 15 и DATA лицензии
2. В связи с наличием только двух физических интерфейсов у cisco 1941 (в случае отсутствия модулей расширения) сконфигурируем dotq1. В данном слечае понадобится коммутатор с поддержкой dotq1 инкапсуляции. Провайдеры будут подключены к коммутатору.:
conf t
int gi 0/0.1
description First_Provider
encapsulation dot1Q 1
exit
int gi 0/0.2
description Second_Provider
encapsulation dot1Q 2
end
Не забудьте настроить IP адреса на указанных выше интерфейсах
conf t
int gi 0/1
descriptions Internal Network
exit
3. Конфигурация мониторинга
conf t
ip sla 1
icmp-echo IP_DG_ISP-1 source-interface GigabitEthernet0/0.1
timeout 2000
threshold 2000
frequency 3
exit
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo IP_DG_ISP-2 source-interface GigabitEthernet0/0.2
timeout 2000
threshold 2000
frequency 3
exit
ip sla schedule 2 life forever start-time now
end
4. Конфигурация track
conf t
track 1 rtr 1 reachability
delay down 60 up 30
exit
track 2 rtr 2 reachability
delay down 60 up 30
end
5. Конфигурация маршрутизации.
conf t
ip route 0.0.0.0 0.0.0.0 IP_DG_ISP-1 track 1
ip route 0.0.0.0 0.0.0.0 IP_DG_ISP-2 10 track 2
end
6. Конфигурация NAT
conf t
int gi 0/0.1
ip nat outside
exit
int gi 0/0.2
ip nat outside
exit
int gi 0/1
ip nat inside
exit
ip access-list 99 permit INTERNAL_NET 0.0.0.255
ip nat inside ip nat inside source list 99 interface gigabitEthernet 0/0.1 overload
ip nat inside ip nat inside source list 99 interface gigabitEthernet 0/0.2 overload
end
7. Создание скриптов для очистки NAT- таблицы при переключении между провайдерами и отображения в syslog
conf t
scheduler allocate 20000 1000
event manager directory user policy flash:/tcl
event manager applet ISP_1_DOWN
event syslog pattern "%TRACKING-5-STATE.*1 rtr 1 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
exit
event manager applet ISP_1_UP
event syslog pattern "%TRACKING-5-STATE.*1 rtr 1 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
exit
event manager applet ISP_2_DOWN
event syslog pattern "%TRACKING-5-STATE.*2 rtr 2 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
exit
event manager applet ISP_2_UP
event syslog pattern "%TRACKING-5-STATE.*2 rtr 2 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
end
8. Сохранение созданной конфигурацию
wr
Об авторе