Lompat ke konten Lompat ke sidebar Lompat ke footer
Beranda / Cisco | Enterprise Internet Router

Cisco | Enterprise Internet Router

Oleh Hasugian Posting Komentar























hostname R-ISP-A
interface Ethernet0/0
 description to R-INET-01
 ip address 10.10.10.2 255.255.255.252
 ip nat inside
 no shut
 exit
!
interface Ethernet0/2
 description to R-INET-02
 ip address 10.11.11.2 255.255.255.252
 ip nat inside
 no shut
 exit
!
interface Ethernet0/1
 description to-OTB-1
 ip address 10.0.137.2 255.255.255.0
 ip nat outside
 no shut
 exit
!
router bgp 10651
 redistribute static
 neighbor 10.10.10.1 remote-as 20651
 neighbor 10.10.10.1 description to R-INET-01
 neighbor 10.10.10.1 version 4
 neighbor 10.10.10.1 next-hop-self
 neighbor 10.11.11.1 remote-as 20652
 neighbor 10.11.11.1 description R-INET-02
 neighbor 10.11.11.1 version 4
 neighbor 10.11.11.1 next-hop-self
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 10.0.137.1
ip route 202.191.100.0 255.255.255.0 10.10.10.1
ip route 202.191.100.0 255.255.255.0 10.11.11.1 2
!
access-list 1 permit any
!
ip nat inside source list 1 interface Ethernet0/1 overload
end
hostname R-ISP-B
interface Ethernet0/0
 description to R-INET-02
 ip address 10.12.12.2 255.255.255.252
 ip nat inside
 no shut
 exit
!
interface Ethernet0/2
 description to R-INET-01
 ip address 10.13.13.2 255.255.255.252
 ip nat inside
 no shut
 exit
!
interface Ethernet0/1
 description to-OTB-2-iFORTEX
 ip address 192.168.31.200 255.255.255.0
 ip nat outside
 no shut
 exit
!
router bgp 10652
 redistribute static
 neighbor 10.13.13.1 remote-as 20651
 neighbor 10.13.13.1  description to R-INET-01
 neighbor 10.13.13.1  version 4
 neighbor 10.13.13.1  next-hop-self
 neighbor 10.12.12.1 remote-as 20652
 neighbor 102.12.12.1 description R-INET-02
 neighbor 10.12.12.1 version 4
 neighbor 10.12.12.1 next-hop-self
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 192.168.31.2
ip route 202.191.100.0 255.255.255.0 10.13.13.1
ip route 202.191.100.0 255.255.255.0 12.12.12.1 2
!
access-list 1 permit any
!
ip nat inside source list 1 interface Ethernet0/1 overload
hostname R-INET-01
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
 description ISP-A
 ip address 10.10.10.1 255.255.255.252
 no shut
!
interface Ethernet0/3
 description R-ISP-B
 ip address 10.13.13.1 255.255.255.252
 no shut
!
interface Ethernet0/2
 description R-INET-02
 ip address 202.191.100.253 255.255.255.252
 no shut
!
interface Ethernet0/1
 description FIREWALL-TIER-1
 ip address 202.191.100.67 255.255.255.248
 standby 1 ip 202.191.100.69
 standby 1 preempt
 standby 1 priority 110
 standby 1 track 100 decrement 20
 no shut
!
track 10 ip sla 11 reachability
!
track 20 ip sla 12 reachability
!
track 100 list boolean and
 object 10
 object 20
!
ip sla 11
 icmp-echo 10.10.10.2 source-ip 10.10.10.1
 threshold 400
 timeout 2000
 frequency 5
!
ip sla schedule 11 life forever start-time now
!
ip sla 12
 icmp-echo 10.13.13.2 source-ip 10.13.13.1
 threshold 400
 timeout 2000
 frequency 5
!
ip sla schedule 12 life forever start-time now
!
router bgp 20651
 bgp log-neighbor-changes
 neighbor 10.10.10.2 remote-as 10651
 neighbor 10.10.10.2  description ISP-A
 neighbor 10.10.10.2  version 4
 neighbor 10.13.13.2 remote-as 10652
 neighbor 10.13.13.2  description ISP-A
 neighbor 10.13.13.2 version 4
 neighbor 202.191.100.254 remote-as 20652
 neighbor 202.191.100.254 description IBGP-To-R-INET-02
 neighbor 202.191.100.254 version 4
 !
 address-family ipv4
  network 10.1.1.1 mask 255.255.255.255
  network 202.191.100.0
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 soft-reconfiguration inbound
  neighbor 10.13.13.2 activate
  neighbor 10.13.13.2 soft-reconfiguration inbound
  neighbor 202.191.100.254 activate
  neighbor 202.191.100.254 soft-reconfiguration inbound
  neighbor 202.191.100.254 next-hop-self
  ip route 202.191.100.0 255.255.255.0 202.191.100.65
!
hostname R-INET-02
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.255
!
interface Ethernet0/0
 description ISP-A
 ip address 10.12.12.1 255.255.255.252
 no shut
!
interface Ethernet0/3
 description R-ISP-B
 ip address 10.11.11.1 255.255.255.252
 no shut
!
interface Ethernet0/2
 description R-INET-02
 ip address 202.191.100.254 255.255.255.252
 no shut
!
interface Ethernet0/1
 description FIREWALL-TIER-1
 ip address 202.191.100.68 255.255.255.248
 standby 1 ip 202.191.100.69
 standby 1 preempt
 no shut
!
router bgp 20652
 bgp log-neighbor-changes
 neighbor 10.11.11.2 remote-as 10651
 neighbor 10.11.11.2  description ISP-A
 neighbor 10.11.11.2  version 4
 neighbor 10.12.12.2 remote-as 10652
 neighbor 10.12.12.2  description ISP-B
 neighbor 10.12.12.2 version 4
 neighbor 202.191.100.253 remote-as 20651
 neighbor 202.191.100.253 description IBGP-To-R-INET-02
 neighbor 202.191.100.253 version 4
 !
 address-family ipv4
  network 10.2.2.2 mask 255.255.255.255
  network 202.191.100.0
  neighbor 10.11.11.2 activate
  neighbor 10.11.11.2 soft-reconfiguration inbound
  neighbor 10.13.13.2 activate
  neighbor 10.13.13.2 soft-reconfiguration inbound
  neighbor 202.191.100.253 activate
  neighbor 202.191.100.253 soft-reconfiguration inbound
  neighbor 202.191.100.253 next-hop-self
!
ip route 202.191.100.0 255.255.255.0 202.191.100.65
hostname SW-INET-01
interface Ethernet0/0
 description to-R1
 no shut
 switchport access vlan 11
 switchport mode access
exit
!
interface Ethernet0/2
 description to-FW-PA-01-OUTSIDE
 no shut
 switchport access vlan 11
 switchport mode access
exit
!
interface Ethernet0/3
 description to-FW-PA-01-INSIDE
 no shut
 switchport access vlan 12
 switchport mode access
exit
!
interface Ethernet0/1
  description to-SW-EDGE-01
 no shut
 switchport access vlan 12
 switchport mode access
exit
!
!
int ethernet 1/0
no shut
switchport trunk encapsulation dot1q
switchport mod trunk
!
int ethernet 1/1
no shut
switchport trunk encapsulation dot1q
switchport mod trunk
!
vlan 11
vlan 12
!
Noted:  Lakukan settingan yg sama di swith SW-INET-02
-------------SW-EDGE-------
hostname  SW-EDGE-01
vlan 10
vlan 30
vlan 20
vlan 40

spanning-tree vlan 10,20 priority 4096
spanning-tree vlan 30,40 priority 8192
!
interface Loopback0
 ip address 10.1.1.3 255.255.255.255
 ip ospf 100 area 0
!
interface Ethernet0/0
 switchport access vlan 152
 no shut
!
interface Ethernet0/1
 switchport access vlan 152
 no shut
!
interface Ethernet0/2
 no shut
 switchport trunk encapsulation dot1q
 switchport mode trunk
no shut
!
interface Ethernet0/3
 no switchport
 ip address 10.15.15.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 100
 no shut
!
interface Ethernet1/0
 switchport access vlan 10
 switchport mode access
 !
interface Ethernet1/1
 switchport access vlan 30
 switchport mode access
 !
interface Vlan10
 no shut
 description vlan10
 ip address 192.168.1.2 255.255.255.0
 standby 6 ip 192.168.1.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan20
 description vlan20
 ip address 192.168.2.3 255.255.255.0
 no shut
 standby 6 ip 192.168.2.1
 standby 6 priority 90
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan30
 description vlan30
 ip address 192.168.3.2 255.255.255.0
 no shut
 standby 6 ip 192.168.3.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan152
 no shut
 ip address 10.16.16.2 255.255.255.248
 standby 6 ip 10.16.16.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
router ospf 100
 redistribute static subnets
 default-information originate
 exit
!
ip route 0.0.0.0 0.0.0.0 10.16.16.4 name default
-------------
hostname  SW-EDGE-02
vlan 10
vlan 30
vlan 20
vlan 40

spanning-tree vlan 10,20 priority 8192
spanning-tree vlan 30,40 priority 4096
!
interface Loopback0
 ip address 10.1.1.4 255.255.255.255
 ip ospf 100 area 0
!
interface Ethernet0/0
 switchport access vlan 152
 no shut
!
interface Ethernet0/1
 switchport access vlan 152
 no shut
!
interface Ethernet0/2
 no shut
 switchport trunk encapsulation dot1q
 switchport mode trunk
no shut
!
interface Ethernet0/3
 no switchport
 ip address 10.15.15.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 100
 no shut
!
interface Ethernet1/0
 switchport access vlan 10
 switchport mode access
 !
interface Vlan10
 no shut
 description vlan10
 ip address 192.168.1.3 255.255.255.0
 standby 6 ip 192.168.1.1
 standby 6 priority 90
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan20
 no shut
 description vlan20
 ip address 192.168.2.2 255.255.255.0
 no ip redirects
 standby 6 ip 192.168.2.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan30
 description vlan30
 ip address 192.168.3.3 255.255.255.0
 no shut
 standby 6 ip 192.168.3.1
 standby 6 priority 110
 standby 6 preempt
 ip ospf 100 area 0
!
interface Vlan152
 no shut
 ip address 10.16.16.3 255.255.255.248
 standby 6 ip 10.16.16.1
  standby 6 preempt
 ip ospf 100 area 0
!
router ospf 100
 redistribute static subnets
 default-information originate
 exit
!
ip route 0.0.0.0 0.0.0.0 10.16.16.4 name default

---------SETTING FIREWALL PALO------
1. Setting Zones







2.Setting IP Interface










3.Setting DNS dan NTP Server Address


















4.Setting Routing Static (Buat Virtual Router VR-Tear1-BTR). Routingan default dan routing ke bawah inside.











5.Setting NAT







6. Seting Firewall Policy Rule






Catatan:
Jika firewall ada dua ada firewall Active dan Passive, baiknya dibentuk dulu HA nya, sehingga ketika HA sudah terbentu, ketika firewall Active dikonfig, mk firewall Passive secara otomatis konfig yg sudah dipush difirewall Active akan percis sama  / sinngkron. Nilai Device Priority paling rendaha adalah yg menjadi Active, yg plng tinggi backup.

--------- SETTING FIREWALL HA ---------

1. Setting type ethernet HA








2.Actifkan HA










3.Seting Control Link dan Data Link










4.Seting Link Path Monitoring












Noted: Lakukan hal yang sama di firewal 2 (dua). Yang beribaha nilai device priority lebih tinggi.

Hasil dan status HA di firewall Active dan Passive















Verifikasi:



Posting Komentar untuk "Cisco | Enterprise Internet Router"

Posting Komentar