Конфигурация отказоустойчивого переключения между двумя провайдерами и NAT-Трансляции внутренней сети на Juniper SRX 220H cluster и Cisco 1941

Введение.

Есть два провайдера и внутренняя сеть INTERNAL_NET/24.
Задача:
сконфигурировать на Juniper SRX 220H и Cisco 1941 NAT-трансляцию внутренней сети и отказоустойчивое переключение между провайдерами.

700

Решение на Juniper SRX 220H Cluster. (При конфигурации не на кластере имена интерфейсов будут ge-0/0/N)

1. Необходимые требования: наличие версии JunOs не ниже 11

2. Конфигурация двух security zones на Juniper:

{primary:node1}[edit]
set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone ISPs interfaces reth1.0
  
set security zones security-zone Internal interfaces reth2.0
set security zones security-zone Internal address-book address INTERNAL_NET INTERNAL_NET/24

3. Конфигурация security policies

{primary:node1}[edit]
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match source-address INTERNAL_NET 
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match destination-address any 
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match application any 
set security policies from zone Internal to zone ISPs policy Internal_to_ISPs then permit

4. Конфигурация шлюза по умолчанию.

{primary:node1}[edit]
set routing-options static route 0.0.0.0/0 next-hop IP_DG_ISP-1
set routing-options static route 0.0.0.0/0 qualified-next-hop IP_DG_ISP-2 preference 100

5. Конфигурация мониторинга провайдеров. Для примера будем мониториться шлюзы по умолчанию.

 {primary:node1}[edit]
 set services rpm probe First_ISP-Probe test First_ISP_GW target address IP_DG_ISP-1
 set services rpm probe First_ISP-Probe test First_ISP_GW probe-count 10
 set services rpm probe First_ISP-Probe test First_ISP_GW probe-interval 5
 set services rpm probe First_ISP-Probe test First_ISP_GW test-interval 10
 set services rpm probe First_ISP-Probe test First_ISP_GW thresholds successive-loss 10
 set services rpm probe First_ISP-Probe test First_ISP_GW thresholds total-loss 5
 set services rpm probe First_ISP-Probe test First_ISP_GW destination-interface reth0.0
 set services rpm probe First_ISP-Probe test First_ISP_GW next-hop IP_DG_ISP-1
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW target address IP_DG_ISP-2
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW probe-count 10
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW probe-interval 5
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW test-interval 10
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW thresholds successive-loss 10
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW thresholds total-loss 5
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW destination-interface reth1.0
 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW next-hop IP_DG_ISP-2
 set services ip-monitoring policy First_ISP-Tr match rpm-probe First_ISP-Probe
 set services ip-monitoring policy First_ISP-Tr then preferred-route route 0.0.0.0/0 next-hop IP_DG_ISP-2
 set services ip-monitoring policy Second_ISP-tr match rpm-probe Second_ISP-Probe
 set services ip-monitoring policy Second_ISP-tr then preferred-route route 0.0.0.0/0 next-hop IP_DG_ISP-1

6. Конфигурация NAT

{primary:node1}[edit]
set security nat source rule-set From_Internal_to_ISPs from zone Internal
set security nat source rule-set From_Internal_to_ISPs to zone ISPs
set security nat source rule-set From_Internal_to_ISPs rule NAT_INTERNAL match source-address INTERNAL_NET/24
set security nat source rule-set From_Internal_to_ISPs rule NAT_INTERNAL then source-nat interface

7. Сохраним и применим созданную конфигурацию

{primary:node1}[edit]
commit

Решение на Cisco 1941.

1. Необходимые требования: наличие ios 15 и DATA лицензии

2. В связи с наличием только двух физических интерфейсов у cisco 1941 (в случае отсутствия модулей расширения) сконфигурируем dotq1. В данном слечае понадобится коммутатор с поддержкой dotq1 инкапсуляции. Провайдеры будут подключены к коммутатору.:

conf t
int gi 0/0.1 
description First_Provider
encapsulation dot1Q 1
exit
int gi 0/0.2
description Second_Provider
encapsulation dot1Q 2
end

Не забудьте настроить IP адреса на указанных выше интерфейсах

conf t
int gi 0/1
descriptions Internal Network
exit

3. Конфигурация мониторинга

conf t
ip sla 1
icmp-echo IP_DG_ISP-1 source-interface GigabitEthernet0/0.1
timeout 2000
threshold 2000
frequency 3
exit
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo IP_DG_ISP-2 source-interface GigabitEthernet0/0.2
timeout 2000
threshold 2000
frequency 3
exit
ip sla schedule 2 life forever start-time now
end

4. Конфигурация track

conf t
track 1 rtr 1 reachability
delay down 60 up 30
exit
track 2 rtr 2 reachability
delay down 60 up 30
end

5. Конфигурация маршрутизации.

 conf t
 ip route 0.0.0.0 0.0.0.0 IP_DG_ISP-1 track 1
 ip route 0.0.0.0 0.0.0.0 IP_DG_ISP-2 10 track 2
 end

6. Конфигурация NAT

conf t
int gi 0/0.1
ip nat outside
exit
int gi 0/0.2
ip nat outside
exit
int gi 0/1
ip nat inside
exit

ip access-list 99 permit INTERNAL_NET 0.0.0.255
ip nat inside ip nat inside source list 99 interface gigabitEthernet 0/0.1 overload
ip nat inside ip nat inside source list 99 interface gigabitEthernet 0/0.2 overload 
end
 

7. Создание скриптов для очистки NAT- таблицы при переключении между провайдерами и отображения в syslog

conf t
scheduler allocate 20000 1000
event manager directory user policy flash:/tcl
event manager applet ISP_1_DOWN 
event syslog pattern "%TRACKING-5-STATE.*1 rtr 1 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
exit
event manager applet ISP_1_UP 
event syslog pattern "%TRACKING-5-STATE.*1 rtr 1 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
exit 
event manager applet ISP_2_DOWN 
event syslog pattern "%TRACKING-5-STATE.*2 rtr 2 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
exit
event manager applet ISP_2_UP 
event syslog pattern "%TRACKING-5-STATE.*2 rtr 2 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation *"
end

8. Сохранение созданной конфигурацию

wr

Об авторе

Profile автора

ru/jobs/nat_2isp_juniper_srx_cisco.txt · Last modified: 2015/03/12 17:13 by admin
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki