引言:
前阵子论坛上有网友讨论过双ISP双线接入时,其中关键在于网关在收到内网数据包后,如何根据不同ISP进行NAT的问题。本人不才,回答时犯了一个经验主义错误。后来得益网友们的提醒,又重新在模拟器上跑了一遍,终告成功。
如图所示,R1、R2作为本地网络12.0.0.0/24、21.0.0.0/24的网关,为连接远端R5上的网段5.0.0.0/24,分别向两个ISP(ISP1、ISP2)申请了1条Internet线路。R3、R4分别给R1、R2一个独立的公网地址(R3分配R1:13.0.0.1、分配R2:13.0.0.2;R4分配R1:14.0.0.1、分配R2:24.0.0.2)。由于R1、R2为Stub AS,故考虑使用浮动静态路由+负载均衡的方式对外访问。其中R1主路由下一跳指向R3 f0/0;R2主路由下一跳指向R4 f0/1。
方法
双ISP双线接入时,网关所使用的nat内部全局地址应为所选线路对应的IP地址(或者该端口所对应的pool)。由于不同ISP有各自对应的出端口,NAT为使用不同的ISP地址段,内部本地地址池除了要判断本地Vlan的地址外,
还要判断所选路由对应出接口。
所以这里要使用到route-map针对源地址和出端口进行筛选。而判断出端口的任务,就交由带track的浮动静态路由实现。
配置文件
双线接入:
R1:
track 3 ip sla 3
track 4 ip sla 4
track 50 ip route 5.0.0.0 255.255.255.0 reachability
!
interface FastEthernet0/0
ip address 13.0.0.1 255.255.255.0
ip nat outside
interface FastEthernet0/1
ip address 14.0.0.1 255.255.255.0
ip nat outside
interface FastEthernet1/0
ip address 12.0.0.1 255.255.255.0
ip nat inside
standby 12 ip 12.0.0.254
standby 12 priority 150
standby 12 preempt
standby 12 track 50 decrement 100
interface FastEthernet1/1
ip address 21.0.0.1 255.255.255.0
ip nat inside
standby 21 ip 21.0.0.254
standby 21 preempt
standby 21 track 50 decrement 100
!
ip nat inside source route-map TO_R3_NAT interface FastEthernet0/0 overload
ip nat inside source route-map TO_R4_NAT interface FastEthernet0/1 overload
ip route 5.0.0.0 255.255.255.0 13.0.0.3 50 track 3
ip route 5.0.0.0 255.255.255.0 14.0.0.4 100 track 4
!
ip access-list standard VLAN_12
permit 12.0.0.0 0.0.0.255
ip access-list standard VLAN_21
permit 21.0.0.0 0.0.0.255
!
ip sla 3
icmp-echo 13.0.0.3
frequency 30
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 14.0.0.4
frequency 30
ip sla schedule 4 life forever start-time now
!
route-map TO_R3_NAT permit 10
match ip address VLAN_12 VLAN_21
match interface FastEthernet0/0
route-map TO_R4_NAT permit 10
match ip address VLAN_12 VLAN_21
match interface FastEthernet0/1
---------我是分隔线----------
R2:
track 3 ip sla 3
track 4 ip sla 4
track 50 ip route 5.0.0.0 255.255.255.0 reachability
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0/0
ip address 23.0.0.2 255.255.255.0
ip nat outside
interface FastEthernet0/1
ip address 24.0.0.2 255.255.255.0
ip nat outside
interface FastEthernet1/0
ip address 12.0.0.2 255.255.255.0
ip nat inside
standby 0 preempt
standby 12 ip 12.0.0.254
standby 12 track 50 decrement 100
interface FastEthernet1/1
ip address 21.0.0.2 255.255.255.0
ip nat inside
standby 21 ip 21.0.0.254
standby 21 priority 150
standby 21 preempt
standby 21 track 50 decrement 100
!
ip nat inside source route-map TO_R3_NAT interface FastEthernet0/0 overload
ip nat inside source route-map TO_R4_NAT interface FastEthernet0/1 overload
ip route 5.0.0.0 255.255.255.0 23.0.0.3 100 track 3
ip route 5.0.0.0 255.255.255.0 24.0.0.4 50 track 4
!
ip access-list standard VLAN_12
permit 12.0.0.0 0.0.0.255
ip access-list standard VLAN_21
permit 21.0.0.0 0.0.0.255
!
ip sla 3
icmp-echo 23.0.0.3
frequency 30
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 24.0.0.4
frequency 30
ip sla schedule 4 life forever start-time now
!
route-map TO_R3_NAT permit 10
match ip address VLAN_12 VLAN_21
match interface FastEthernet0/0
route-map TO_R4_NAT permit 10
match ip address VLAN_12 VLAN_21
match interface FastEthernet0/1
!
---------我是分隔线----------
R3:
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface FastEthernet0/0
ip address 13.0.0.3 255.255.255.0
interface FastEthernet0/1
ip address 23.0.0.3 255.255.255.0
interface Serial1/0
ip address 35.0.0.3 255.255.255.0
encapsulation ppp
!
router eigrp 12345
passive interface FastEthernet0/0
passive interface FastEthernet0/1
passive interface Loopback0
network 3.3.3.3 0.0.0.0
network 13.0.0.3 0.0.0.0
network 23.0.0.3 0.0.0.0
network 35.0.0.3 0.0.0.0
eigrp router-id 3.3.3.3
---------我是分隔线----------
R4:
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface FastEthernet0/0
ip address 14.0.0.4 255.255.255.0
interface FastEthernet0/1
ip address 24.0.0.4 255.255.255.0
interface Serial1/0
ip address 45.0.0.4 255.255.255.0
encapsulation ppp
!
router eigrp 12345
passive interface FastEthernet0/0
passive interface FastEthernet0/1
passive interface Loopback0
network 4.4.4.4 0.0.0.0
network 14.0.0.4 0.0.0.0
network 24.0.0.4 0.0.0.0
network 45.0.0.4 0.0.0.0
eigrp router-id 4.4.4.4
!
---------我是分隔线----------
R5:
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback1
ip address 5.0.0.1 255.255.255.0
interface Serial1/0
ip address 35.0.0.5 255.255.255.0
encapsulation ppp
interface Serial1/1
ip address 45.0.0.5 255.255.255.0
encapsulation ppp
!
router eigrp 12345
passive interface Loopback0
passive interface Loopback1
network 5.0.0.1 0.0.0.0
network 5.5.5.5 0.0.0.0
network 35.0.0.5 0.0.0.0
network 45.0.0.5 0.0.0.0
eigrp router-id 5.5.5.5
!
实验结果
本实验假设网关R1使用R3作为主路由,R2使用R4作为主路由。由于R1使用到SLA监控R3端口IP的可达性,因此先查看SLA状态:
R1#show ip sla st
IPSLAs Latest Operation Statistics
IPSLA operation id: 3
Type of operation: icmp-echo
Latest RTT: 56 milliseconds
Latest operation start time: *14:54:19.998 UTC Wed Nov 28 2012
Latest operation return code: OK
Number of successes: 7
Number of failures: 0
Operation time to live: Forever
IPSLA operation id: 4
Type of operation: icmp-echo
Latest RTT: 88 milliseconds
Latest operation start time: *14:54:22.966 UTC Wed Nov 28 2012
Latest operation return code: OK
Number of successes: 7
Number of failures: 0
Operation time to live: Forever
要在静态路由中使用sla的状态,必须先用track跟踪sla状态:
R1#show track
Track 3
IP SLA 3 state
State is Up
40 changes, last change 00:03:10
Latest operation return code: OK
Latest RTT (millisecs) 56
Tracked by:
STATIC-IP-ROUTING 0
Track 4
IP SLA 4 state
State is Up
31 changes, last change 00:03:10
Latest operation return code: OK
Latest RTT (millisecs) 88
Tracked by:
STATIC-IP-ROUTING 0
Track 50
IP route 5.0.0.0 255.255.255.0 reachability
Reachability is Up (static)
8 changes, last change 00:02:56
First-hop interface is FastEthernet0/0
Tracked by:
HSRP FastEthernet1/0 12
HSRP FastEthernet1/1 21
最后,检查R1的浮动静态路由是否正确使用到SLA返回的状态选择路由:
R1#show ip route st
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
S 5.0.0.0 [
50
/0] via
13.0.0.3
经过配置,在模拟互联网中不存在12.0.0.0/24和21.0.0.0/24两个内网IP地址段的情况下,客户端可正常连接到远端网段:
VPCS[1]> ping 5.0.0.1
5.0.0.1 icmp_seq=1 ttl=253 time=109.375 ms
5.0.0.1 icmp_seq=2 ttl=253 time=125.000 ms
5.0.0.1 icmp_seq=3 ttl=253 time=109.375 ms
5.0.0.1 icmp_seq=4 ttl=253 time=140.625 ms
5.0.0.1 icmp_seq=5 ttl=253 time=140.625 ms
由于R1使用ISP1(R3)作为主路由,因此经过R1的内网数据包被R1的NAT进程映射到R3所分配的IP地址。
R1 NAT状态debug:
R1#
*Nov 28 15:35:30.918: NAT*: s=12.0.0.100->13.0.0.1, d=5.0.0.1 [48835]
*Nov 28 15:35:30.966: NAT*: s=5.0.0.1, d=13.0.0.1->12.0.0.100 [48835]
R1#
*Nov 28 15:35:32.026: NAT*: s=12.0.0.100->13.0.0.1, d=5.0.0.1 [48836]
*Nov 28 15:35:32.134: NAT*: s=5.0.0.1, d=13.0.0.1->12.0.0.100 [48836]
R1#
*Nov 28 15:35:33.154: NAT*: s=12.0.0.100->13.0.0.1, d=5.0.0.1 [48837]
*Nov 28 15:35:33.226: NAT*: s=5.0.0.1, d=13.0.0.1->12.0.0.100 [48837]
R1#
*Nov 28 15:35:34.278: NAT*: s=12.0.0.100->13.0.0.1, d=5.0.0.1 [48838]
*Nov 28 15:35:34.382: NAT*: s=5.0.0.1, d=13.0.0.1->12.0.0.100 [48838]
R1#
*Nov 28 15:35:35.430: NAT*: s=12.0.0.100->13.0.0.1, d=5.0.0.1 [48839]
*Nov 28 15:35:35.522: NAT*: s=5.0.0.1, d=13.0.0.1->12.0.0.100 [48839]
R1#
*Nov 28 15:36:31.190: NAT: expiring 13.0.0.1 (12.0.0.100) icmp 50110 (50110)
R1#
*Nov 28 15:36:32.214: NAT: expiring 13.0.0.1 (12.0.0.100) icmp 50366 (50366)
R1#
*Nov 28 15:36:33.238: NAT: expiring 13.0.0.1 (12.0.0.100) icmp 50622 (50622)
R1#
*Nov 28 15:36:34.774: NAT: expiring 13.0.0.1 (12.0.0.100) icmp 50878 (50878)
R1#
*Nov 28 15:36:35.798: NAT: expiring 13.0.0.1 (12.0.0.100) icmp 51390 (51390)
重头戏来了!必须验证R1能够在R3实效的情况下正确切换到R4。现在关闭R3的F0/0端口,并检查SLA 3的返回情况:
R1#show ip sla st
IPSLAs Latest Operation Statistics
IPSLA operation id: 3
Type of operation: icmp-echo
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *15:35:49.994 UTC Wed Nov 28 2012
Latest operation return code: Timeout
Number of successes: 87
Number of failures: 3
Operation time to live: Forever
同样,track 3的状态随之改变:
R1#show track
Track 3
IP SLA 3 state
State is Down
45 changes, last change 00:02:34
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
我们最为关心的路由表情况:
R1#show ip route st
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
S 5.0.0.0 [
100
/0] via
14.0.0.4
当然,测试连通性是最主要的:
VPCS[1]> ping 5.0.0.1
5.0.0.1 icmp_seq=1 ttl=253 time=156.250 ms
5.0.0.1 icmp_seq=2 ttl=253 time=187.500 ms
5.0.0.1 icmp_seq=3 ttl=253 time=125.000 ms
5.0.0.1 icmp_seq=4 ttl=253 time=140.625 ms
5.0.0.1 icmp_seq=5 ttl=253 time=93.750 ms
其实,由于R4没有R1-R3的路由,NAT肯定是以R1-R4的端口IP作转换的。以防万一,检查R1的NAT转换情况:
R1#
*Nov 28 15:39:22.970: NAT*: s=12.0.0.100->14.0.0.1, d=5.0.0.1 [49067]
*Nov 28 15:39:23.106: NAT*: s=5.0.0.1, d=14.0.0.1->12.0.0.100 [49067]
R1#
*Nov 28 15:39:24.182: NAT*: s=12.0.0.100->14.0.0.1, d=5.0.0.1 [49068]
*Nov 28 15:39:24.322: NAT*: s=5.0.0.1, d=14.0.0.1->12.0.0.100 [49068]
R1#
*Nov 28 15:39:25.350: NAT*: s=12.0.0.100->14.0.0.1, d=5.0.0.1 [49069]
*Nov 28 15:39:25.446: NAT*: s=5.0.0.1, d=14.0.0.1->12.0.0.100 [49069]
R1#
*Nov 28 15:39:26.494: NAT*: s=12.0.0.100->14.0.0.1, d=5.0.0.1 [49070]
*Nov 28 15:39:26.590: NAT*: s=5.0.0.1, d=14.0.0.1->12.0.0.100 [49070]
R1#
*Nov 28 15:39:27.634: NAT*: s=12.0.0.100->14.0.0.1, d=5.0.0.1 [49071]
*Nov 28 15:39:27.690: NAT*: s=5.0.0.1, d=14.0.0.1->12.0.0.100 [49071]
R1#
*Nov 28 15:40:23.250: NAT: expiring 14.0.0.1 (12.0.0.100) icmp 43967 (43967)
R1#
*Nov 28 15:40:24.786: NAT: expiring 14.0.0.1 (12.0.0.100) icmp 44223 (44223)
R1#
*Nov 28 15:40:25.810: NAT: expiring 14.0.0.1 (12.0.0.100) icmp 44735 (44735)
R1#
*Nov 28 15:40:26.834: NAT: expiring 14.0.0.1 (12.0.0.100) icmp 44991 (44991)
R1#
*Nov 28 15:40:27.858: NAT: expiring 14.0.0.1 (12.0.0.100) icmp 45247 (45247)
本文转自 gole_huang 51CTO博客,原文链接:http://blog.51cto.com/golehuang/1077794
