一、实验拓扑:
二、需求概述:
R1、R2作为本地网络12.0.0.0/24、21.0.0.0/24的网关,为连接远端R5上的网段5.0.0.0/24,分别向两个ISP(ISP1、ISP2)申请了1条Internet线路。R3、R4分别给R1、R2一个独立的公网地址(R3分配R1:13.0.0.1、分配R2:13.0.0.2;R4分配R1:14.0.0.1、分配R2:24.0.0.2)。由于R1、R2为Stub AS,故考虑使用浮动静态路由+负载均衡的方式对外访问。其中R1主路由下一跳指向R3 e0/0;R2主路由下一跳指向R4 e0/1。
三、实现方法:
双ISP双线接入时,网关所使用的nat内部全局地址应为所选线路对应的IP地址(或者该端口所对应的pool)。由于不同ISP有各自对应的出端口,NAT为使用不同的ISP地址段,内部本地地址池除了要判断本地Vlan的地址外,还要判断所选路由对应出接口。所以这里要使用到route-map针对源地址和出端口进行筛选。而判断出端口的任务,就交由带track的浮动静态路由实现。
四、配置过程:
R1:
track 3 ip sla 3 track 4 ip sla 4 track 50 ip route 5.0.0.0 255.255.255.0 reachability interface e0/2 ip address 13.0.0.1 255.255.255.0 ip nat outside interface e0/3 ip address 14.0.0.1 255.255.255.0 ip nat outside interface e0/0 ip address 12.0.0.1 255.255.255.0 ip nat inside standby 12 ip 12.0.0.254 standby 12 priority 150 standby 12 preempt standby 12 track 50 decrement 100 interface e0/1 ip address 21.0.0.1 255.255.255.0 ip nat inside standby 21 ip 21.0.0.254 standby 21 preempt standby 21 track 50 decrement 100 ip nat inside source route-map TO_R3_NAT interface e0/2 overload ip nat inside source route-map TO_R4_NAT interface e0/3 overload ip route 5.0.0.0 255.255.255.0 13.0.0.3 50 track 3 ip route 5.0.0.0 255.255.255.0 14.0.0.4 100 track 4 ip access-list standard VLAN_12 permit 12.0.0.0 0.0.0.255 ip access-list standard VLAN_21 permit 21.0.0.0 0.0.0.255 ip sla 3 icmp-echo 13.0.0.3 exit ip sla schedule 3 life forever start-time now ip sla 4 icmp-echo 14.0.0.4 exit ip sla schedule 4 life forever start-time now route-map TO_R3_NAT permit 10 match ip address VLAN_12 VLAN_21 match interface e0/2 route-map TO_R4_NAT permit 10 match ip address VLAN_12 VLAN_21 match interface e0/3
R2:
track 3 ip sla 3 track 4 ip sla 4 track 50 ip route 5.0.0.0 255.255.255.0 reachability interface Loopback 0 ip address 2.2.2.2 255.255.255.255 interface e0/2 ip address 23.0.0.2 255.255.255.0 ip nat outside no shut interface e0/3 ip address 24.0.0.2 255.255.255.0 ip nat outside no shut interface e0/1 ip address 12.0.0.2 255.255.255.0 ip nat inside standby 12 preempt standby 12 ip 12.0.0.254 standby 12 track 50 decrement 100 no shut interface e0/0 ip address 21.0.0.2 255.255.255.0 ip nat inside standby 21 ip 21.0.0.254 standby 21 priority 150 standby 21 preempt standby 21 track 50 decrement 100 no shut ip nat inside source route-map TO_R3_NAT interface e0/2 overload ip nat inside source route-map TO_R4_NAT interface e0/3 overload ip route 5.0.0.0 255.255.255.0 23.0.0.3 100 track 3 ip route 5.0.0.0 255.255.255.0 24.0.0.4 50 track 4 ip access-list standard VLAN_12 permit 12.0.0.0 0.0.0.255 exit ip access-list standard VLAN_21 permit 21.0.0.0 0.0.0.255 ip sla 3 icmp-echo 23.0.0.3 exit ip sla schedule 3 life forever start-time now ip sla 4 icmp-echo 24.0.0.4 exit ip sla schedule 4 life forever start-time now route-map TO_R3_NAT permit 10 match ip address VLAN_12 VLAN_21 match interface e0/2 route-map TO_R4_NAT permit 10 match ip address VLAN_12 VLAN_21 match interface e0/3
R3:
interface Loopback 0 ip address 3.3.3.3 255.255.255.255 interface e0/0 ip address 13.0.0.3 255.255.255.0 no shut interface e0/1 ip address 23.0.0.3 255.255.255.0 no shut interface S1/0 ip address 35.0.0.3 255.255.255.0 encapsulation ppp no shut exit router eigrp 12345 passive-interface e0/0 passive-interface e0/1 passive-interface Loopback 0 network 3.3.3.3 0.0.0.0 network 13.0.0.3 0.0.0.0 network 23.0.0.3 0.0.0.0 network 35.0.0.3 0.0.0.0 eigrp router-id 3.3.3.3
R4:
interface Loopback 0 ip address 4.4.4.4 255.255.255.255 interface e0/0 ip address 14.0.0.4 255.255.255.0 no shut interface e0/1 ip address 24.0.0.4 255.255.255.0 no shut interface S1/0 ip address 45.0.0.4 255.255.255.0 encapsulation ppp no shut exit router eigrp 12345 passive-interface e0/0 passive-interface e0/1 passive-interface Loopback 0 network 4.4.4.4 0.0.0.0 network 14.0.0.4 0.0.0.0 network 24.0.0.4 0.0.0.0 network 45.0.0.4 0.0.0.0 eigrp router-id 4.4.4.4
R5:
interface Loopback 0 ip address 5.5.5.5 255.255.255.255 interface Loopback 1 ip address 5.0.0.1 255.255.255.0 interface Serial1/0 ip address 35.0.0.5 255.255.255.0 encapsulation ppp no shut interface Serial1/1 ip address 45.0.0.5 255.255.255.0 encapsulation ppp no shut exit router eigrp 12345 passive-interface Loopback 0 passive-interface Loopback 1 network 5.0.0.1 0.0.0.0 network 5.5.5.5 0.0.0.0 network 35.0.0.5 0.0.0.0 network 45.0.0.5 0.0.0.0 eigrp router-id 5.5.5.5
五、结果测试:
本实验假设网关R1使用R3作为主路由,R2使用R4作为主路由。由于R1使用到SLA监控R3端口IP的可达性,因此先查看SLA状态:
要在静态路由中使用sla的状态,必须先用track跟踪sla状态:
最后,检查R1的浮动静态路由是否正确使用到SLA返回的状态选择路由:
经过配置,在模拟互联网中不存在12.0.0.0/24和21.0.0.0/24两个内网IP地址段的情况下,客户端可正常连接到远端网段:
pc1:
由于R1使用ISP1(R3)作为主路由,因此经过R1的内网数据包被R1的NAT进程映射到R3所分配的IP地址。
R1 NAT状态debug:
重头戏来了!必须验证R1能够在R3实效的情况下正确切换到R4。现在关闭R3的e0/0端口,并检查SLA3的返回情况:
同样,track3的状态随之改变:
我们最为关心的路由表情况:
当然,测试连通性是最主要的:
其实,由于R4没有R1-R3的路由,NAT肯定是以R1-R4的端口IP作转换的。以防万一,检查R1的NAT转换情况:
至此实验完成!
