Lompat ke konten Lompat ke sidebar Lompat ke footer
Beranda / Cisco

Enterprise Network - Simulasi Persiapan Migrasi

Oleh Hasugian Posting Komentar

 

 

 

 

 















Lab ini dibuat untuk perisapan migrasi router-switch internet sebelum nanti masuk ketahap live migrasi Tujuannya untuk mengetahui seberapa lama proses downtime, mulai dari pemindahan port dan konfigurasi dari router-switch lama ke switch baru, dan untuk mengetahui kecepan perpindahan active-standby hsrp pada masing-masing router.,dan juga mengetahui sebeberapa lama proses konfigurasi ip address dari port lama (1G) ke port baru (10G) diperangkat firewall sampai layanan internet berjalan normal kembali, sehingga meminimalisir terjadinya fallback/roolback. 

Noted:
* Yang menjadi router Active hsrp adalah R-INET-02 dan syandby R-INET-01
* Firewall T1 (Palo) adalah mode HA,  yg menjadi active adalah FW-T1-01 karena nilai Device Priority lebih kecil yaitu 50, sedangkan secundary adalah FW-T1-02 nilai Device Prioritinya 100, karena yg dipilih menjadi activce nilai priority yg paling kecil.
* Firewall T2 (Fortigate) adalah mode HA,  yg menjadi active adalah FW-T2-01 karena nilai Device Priority lebih besar yaitu 255, sedangkan secondary adalah FW-T2-02 nilai Device Prioritinya 128.

Berikut konfigurasi masing-masing perangkat:
Router R-ISP
interface GigabitEthernet0/1
 ip address 192.168.47.10 255.255.255.0
 ip nat outside
  no shut
 exit
!
interface GigabitEthernet0/2
 description ALLOT3_P2L4L3_IFORTEX-200M
 ip address 36.93.253.229 255.255.255.252
 ip nat inside
 no shut
 exit
!
interface GigabitEthernet0/0
 description ALLOT2_P4L4L3_TELCOM-200M
 ip address 103.158.58.137 255.255.255.252
 ip nat inside
 no shut
 exit
!
router bgp 17995
 bgp log-neighbor-changes
 redistribute static
 neighbor 36.93.253.230 remote-as 24205
 neighbor 36.93.253.230 description EBGP_to_IFORTE
 neighbor 36.93.253.230 version 4
 neighbor 36.93.253.230 next-hop-self
 neighbor 103.158.58.138 remote-as 24205
 neighbor 103.158.58.138 description EBGP_to_TELKOM
 neighbor 103.158.58.138 version 4
 neighbor 103.158.58.138 next-hop-self
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 192.168.47.2
ip route 202.191.3.0 255.255.255.0 103.158.58.138
!
access-list 1 permit any
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Router R-INET-01
hostname R-INET-01
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 202.191.13.253 255.255.255.252
 no shut
!
interface GigabitEthernet0/2
 description iFORTE
 ip address 103.158.58.138 255.255.255.252
 no shut
!
interface GigabitEthernet0/0
 description FIREWALL-TIER-1
 ip address 202.191.13.67 255.255.255.248
 standby 1 ip 202.191.13.65
 standby 1 preempt
 standby 1 version 2
no shut
!
router bgp 24205
 bgp log-neighbor-changes
 neighbor 103.158.58.137 remote-as 17995
 neighbor 103.158.58.137 description EBGP_to_IFORTE
 neighbor 103.158.58.137 version 4
 neighbor 202.191.3.254 remote-as 24205
 neighbor 202.191.3.254 description IBGP-To-R-INET-02
 neighbor 202.191.13.254 remote-as 24205
 neighbor 202.191.13.254 description IBGP-To-R-INET-02
 neighbor 202.191.13.254 version 4
 !
 address-family ipv4
  network 10.1.1.1 mask 255.255.255.255
  network 202.191.13.0
  neighbor 103.158.58.137 activate
  neighbor 103.158.58.137 soft-reconfiguration inbound
  no neighbor 202.191.3.254 activate
  neighbor 202.191.13.254 activate
!
ip route 202.191.13.0 255.255.255.0 202.191.13.69
!

Router R-INET-02
interface Loopback0
 ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 202.191.13.254 255.255.255.252
no shut
!
interface GigabitEthernet0/2
 description ALLOT3_P2L4L3_TLKM-200M
 ip address 36.93.253.230 255.255.255.252
no shut
!
interface GigabitEthernet0/0
 description FIREWALL-TIER-1
 ip address 202.191.13.68 255.255.255.248
 standby 1 ip 202.191.13.65
 standby 1 preempt
 standby 1 priority 110
 standby 1 version 2
 standby 1 track 100 decrement 20
  no shut
!
track 100 list boolean and
 object 10
 object 20
!
track 20 ip sla 12 reachability
!
ip sla 12
 icmp-echo 36.93.253.229 source-ip 36.93.253.230
  threshold 400
  timeout 2000
  frequency 5
!
ip sla scheduler 12 life forover start-time now
!
router bgp 24205
 bgp log-neighbor-changes
 neighbor 36.93.253.229 remote-as 17995
 neighbor 36.93.253.229 description EBGP_TO_TELKOM
 neighbor 36.93.253.229 version 4
 neighbor 202.191.13.253 remote-as 24205
 neighbor 202.191.13.253 description IBGP-To-R-INET-01
 neighbor 202.191.13.253 version 4
 !
 address-family ipv4
  network 10.1.1.2 mask 255.255.255.255
  network 202.191.13.0
  neighbor 36.93.253.229 activate
  neighbor 36.93.253.229 remove-private-as
  neighbor 36.93.253.229 soft-reconfiguration inbound
  neighbor 202.191.13.253 activate
  neighbor 202.191.13.253 next-hop-self
 exit-address-family
!
ip route 202.191.13.0 255.255.255.0 202.191.13.69
!

VERIFKASI














SW-INET-01  dan   SW-INET-02
vlan 11
vlan 12
!
interface Ethernet0/0
 switchport access vlan 11
 switchport mode access
!
interface Ethernet0/1
 switchport access vlan 11
 switchport mode access
!
interface Ethernet0/3
 switchport access vlan 12
 switchport mode access
end
!
interface Ethernet1/0
 switchport access vlan 12
 switchport mode access
end
!
interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
SW-EDGE-01
vlan 10
vlan 30

spanning-tree vlan 10,20 priority 4096
spanning-tree vlan 30,40 priority 8192
!
interface Loopback0
 ip address 10.1.1.3 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet0/0
 switchport access vlan 152
 no shut
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
no shut
!
interface GigabitEthernet0/2
 no switchport
 ip address 10.92.253.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 100
 no shut
!

interface GigabitEthernet0/0
 switchport access vlan 152
 no shut

!
interface GigabitEthernet0/3
 switchport access vlan 152
 negotiation auto
!
interface GigabitEthernet1/0
 switchport access vlan 10
 switchport mode access
 negotiation auto
!
interface Vlan10
 description vlan10
 ip address 10.0.1.2 255.255.255.0
 no ip redirects
 standby 6 ip 10.0.1.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan30
 description vlan30
 ip address 10.0.3.2 255.255.255.0
 no ip redirects
 standby 6 ip 10.0.3.1
 standby 6 priority 90
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan152
 ip address 10.150.6.26 255.255.255.248
 standby 6 ip 10.150.6.25
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
router ospf 100
 redistribute static subnets
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 10.150.6.28 name default

**noted:
mengacau kebanyakan diproduction, untuk di EDGE01-dan EDGE02, area server-farm  sebaiknya pakai service hsrp sebagai ganti stanby

SW-EDGE-02
vlan 10
vlan 30
spanning-tree vlan 10,20 priority 8192
spanning-tree vlan 30,40 priority 4096
!
interface Loopback0
 ip address 10.1.1.4 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet0/0
 switchport access vlan 152
 no shut
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
no shut
!
interface GigabitEthernet0/2
 no switchport
 ip address 10.92.253.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 100
 no shut
!
interface GigabitEthernet0/3
 switchport access vlan 152
 no shut
!
interface GigabitEthernet1/0
 switchport access vlan 10
 switchport mode access
 no shut
!
interface Vlan10
 description vlan10
 ip address 10.0.1.3 255.255.255.0
 no ip redirects
 standby 6 ip 10.0.1.1
 standby 6 priority 90
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan30
 description vlan30
 ip address 10.0.3.3 255.255.255.0
 no ip redirects
 standby 6 ip 10.0.3.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan152
 ip address 10.150.6.26 255.255.255.248
 standby 6 ip 10.150.6.25
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
router ospf 100
 redistribute static subnets
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 10.150.6.28 name default
!

KONFIGURASI FIREWALL - T1 dan T2

FW-T1-01
IP Mgmt
IP Mgmt












IP Interfaces













Routing Static


NAT



Security Policy

HA (FW-T1-01)
Pada tahap ini konigurasi bagian HA, di menu Device High Avalability --> General. Nilai Primary/Active diset 100, sedangkan secundary/Passive di set 200, Primary/Active priority nilai plg kecil yt 100


Device High Avalability --> HA Communication
Device High Avalability --> Link and Path Monitoring

Lakukan setingan hal yg sama di firewall FW-T1-02, yg membedakan adalah nilai priority diset 200 (lebih tinggi), karena akan menjadi firewall secundary/passive.Hasilnya, Dasboard  HA yang sudah terbentuk firewall Primary dan Secundary


Firewall FW-T2-01
HA (High Availability) nilai 225 adalah nilai tertinggi akan jadi primary, sedangkan nilai secondary adalah 128.

Interfaces


Routing


Firewall Policy


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

dfH



Posting Komentar untuk "Enterprise Network - Simulasi Persiapan Migrasi"

Posting Komentar