=======Конфигурация отказоустойчивого переключения между двумя провайдерами и NAT-Трансляции внутренней сети на Juniper SRX 220H cluster и Cisco 1941 ======= ==== Введение. ==== Есть два провайдера и внутренняя сеть INTERNAL_NET/24.\\ **Задача**:\\ сконфигурировать на Juniper SRX 220H и Cisco 1941 NAT-трансляцию внутренней сети и отказоустойчивое переключение между провайдерами.\\ {{:ru:jobs:2ispnat.jpg?700|700}} ==== Решение на Juniper SRX 220H Cluster. (При конфигурации не на кластере имена интерфейсов будут ge-0/0/N) ==== 1. Необходимые требования: **наличие версии %%JunOs%% не ниже 11**\\ 2. Конфигурация двух security zones на Juniper:\\ {primary:node1}[edit] set security zones security-zone ISPs interfaces reth0.0 set security zones security-zone ISPs interfaces reth1.0 set security zones security-zone Internal interfaces reth2.0 set security zones security-zone Internal address-book address INTERNAL_NET INTERNAL_NET/24 3. Конфигурация security policies\\ {primary:node1}[edit] set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match source-address INTERNAL_NET set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match destination-address any set security policies from zone Internal to zone ISPs policy Internal_to_ISPs match application any set security policies from zone Internal to zone ISPs policy Internal_to_ISPs then permit 4. Конфигурация шлюза по умолчанию. {primary:node1}[edit] set routing-options static route 0.0.0.0/0 next-hop IP_DG_ISP-1 set routing-options static route 0.0.0.0/0 qualified-next-hop IP_DG_ISP-2 preference 100 5. Конфигурация мониторинга провайдеров. Для примера будем мониториться шлюзы по умолчанию. {primary:node1}[edit] set services rpm probe First_ISP-Probe test First_ISP_GW target address IP_DG_ISP-1 set services rpm probe First_ISP-Probe test First_ISP_GW probe-count 10 set services rpm probe First_ISP-Probe test First_ISP_GW probe-interval 5 set services rpm probe First_ISP-Probe test First_ISP_GW test-interval 10 set services rpm probe First_ISP-Probe test First_ISP_GW thresholds successive-loss 10 set services rpm probe First_ISP-Probe test First_ISP_GW thresholds total-loss 5 set services rpm probe First_ISP-Probe test First_ISP_GW destination-interface reth0.0 set services rpm probe First_ISP-Probe test First_ISP_GW next-hop IP_DG_ISP-1 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW target address IP_DG_ISP-2 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW probe-count 10 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW probe-interval 5 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW test-interval 10 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW thresholds successive-loss 10 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW thresholds total-loss 5 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW destination-interface reth1.0 set services rpm probe Second_ISP-Probe test Second_ISP-Probe_GW next-hop IP_DG_ISP-2 set services ip-monitoring policy First_ISP-Tr match rpm-probe First_ISP-Probe set services ip-monitoring policy First_ISP-Tr then preferred-route route 0.0.0.0/0 next-hop IP_DG_ISP-2 set services ip-monitoring policy Second_ISP-tr match rpm-probe Second_ISP-Probe set services ip-monitoring policy Second_ISP-tr then preferred-route route 0.0.0.0/0 next-hop IP_DG_ISP-1 6. Конфигурация NAT {primary:node1}[edit] set security nat source rule-set From_Internal_to_ISPs from zone Internal set security nat source rule-set From_Internal_to_ISPs to zone ISPs set security nat source rule-set From_Internal_to_ISPs rule NAT_INTERNAL match source-address INTERNAL_NET/24 set security nat source rule-set From_Internal_to_ISPs rule NAT_INTERNAL then source-nat interface 7. Сохраним и применим созданную конфигурацию {primary:node1}[edit] commit ==== Решение на Cisco 1941. ==== 1. Необходимые требования: **наличие ios 15 и DATA лицензии**\\ 2. В связи с наличием только двух физических интерфейсов у cisco 1941 (в случае отсутствия модулей расширения) сконфигурируем dotq1. В данном слечае понадобится коммутатор с поддержкой dotq1 инкапсуляции. Провайдеры будут подключены к коммутатору.:\\ conf t int gi 0/0.1 description First_Provider encapsulation dot1Q 1 exit int gi 0/0.2 description Second_Provider encapsulation dot1Q 2 end Не забудьте настроить IP адреса на указанных выше интерфейсах conf t int gi 0/1 descriptions Internal Network exit 3. Конфигурация мониторинга conf t ip sla 1 icmp-echo IP_DG_ISP-1 source-interface GigabitEthernet0/0.1 timeout 2000 threshold 2000 frequency 3 exit ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo IP_DG_ISP-2 source-interface GigabitEthernet0/0.2 timeout 2000 threshold 2000 frequency 3 exit ip sla schedule 2 life forever start-time now end 4. Конфигурация track conf t track 1 rtr 1 reachability delay down 60 up 30 exit track 2 rtr 2 reachability delay down 60 up 30 end 5. Конфигурация маршрутизации. conf t ip route 0.0.0.0 0.0.0.0 IP_DG_ISP-1 track 1 ip route 0.0.0.0 0.0.0.0 IP_DG_ISP-2 10 track 2 end 6. Конфигурация NAT conf t int gi 0/0.1 ip nat outside exit int gi 0/0.2 ip nat outside exit int gi 0/1 ip nat inside exit ip access-list 99 permit INTERNAL_NET 0.0.0.255 ip nat inside ip nat inside source list 99 interface gigabitEthernet 0/0.1 overload ip nat inside ip nat inside source list 99 interface gigabitEthernet 0/0.2 overload end 7. Создание скриптов для очистки NAT- таблицы при переключении между провайдерами и отображения в syslog conf t scheduler allocate 20000 1000 event manager directory user policy flash:/tcl event manager applet ISP_1_DOWN event syslog pattern "%TRACKING-5-STATE.*1 rtr 1 reachability Up->Down" action 1.0 cli command "enable" action 1.1 cli command "clear ip nat translation *" exit event manager applet ISP_1_UP event syslog pattern "%TRACKING-5-STATE.*1 rtr 1 reachability Down->Up" action 1.0 cli command "enable" action 1.1 cli command "clear ip nat translation *" exit event manager applet ISP_2_DOWN event syslog pattern "%TRACKING-5-STATE.*2 rtr 2 reachability Up->Down" action 1.0 cli command "enable" action 1.1 cli command "clear ip nat translation *" exit event manager applet ISP_2_UP event syslog pattern "%TRACKING-5-STATE.*2 rtr 2 reachability Down->Up" action 1.0 cli command "enable" action 1.1 cli command "clear ip nat translation *" end 8. Сохранение созданной конфигурацию wr ==== Об авторе ==== [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] автора