双ISP双链路接入NAT配置问题探讨
引言:
前阵子论坛上有网友讨论过双ISP双线接入时,其中关键在于网关在收到内网数据包后,如何根据不同ISP进行NAT的问题。本人不才,回答时犯了一个经验主义错误。后来得益网友们的提醒,又重新在模拟器上跑了一遍,终告成功。 www.2cto.com
如图所示,R1、R2作为本地网络12.0.0.0/24、21.0.0.0/24的网关,为连接远端R5上的网段5.0.0.0/24,分别向两个ISP(ISP1、ISP2)申请了1条Internet线路。R3、R4分别给R1、R2一个独立的公网地址(R3分配R1:13.0.0.1、分配R2:13.0.0.2;R4分配R1:14.0.0.1、分配R2:24.0.0.2)。由于R1、R2为Stub AS,故考虑使用浮动静态路由+负载均衡的方式对外访问。其中R1主路由下一跳指向R3 f0/0;R2主路由下一跳指向R4 f0/1。 www.2cto.com
方法
双ISP双线接入时,网关所使用的nat内部全局地址应为所选线路对应的IP地址(或者该端口所对应的pool)。由于不同ISP有各自对应的出端口,NAT为使用不同的ISP地址段,内部本地地址池除了要判断本地Vlan的地址外,还要判断所选路由对应出接口。所以这里要使用到route-map针对源地址和出端口进行筛选。而判断出端口的任务,就交由带track的浮动静态路由实现。
配置文件
双线接入:
R1:
track3ipsla3
track4ipsla4
track50iproute5.0.0.0255.255.255.0reachability
!
interfaceFastEthernet0/0
ipaddress13.0.0.1255.255.255.0
ipnatoutside
interfaceFastEthernet0/1
ipaddress14.0.0.1255.255.255.0
ipnatoutside
interfaceFastEthernet1/0
ipaddress12.0.0.1255.255.255.0
ipnatinside
standby12ip12.0.0.254
standby12priority150
standby12preempt
standby12track50decrement100
interfaceFastEthernet1/1
ipaddress21.0.0.1255.255.255.0
ipnatinside
standby21ip21.0.0.254
standby21preempt
standby21track50decrement100
!
ipnatinsidesourceroute-mapTO_R3_NATinterfaceFastEthernet0/0overload
ipnatinsidesourceroute-mapTO_R4_NATinterfaceFastEthernet0/1overload
iproute5.0.0.0255.255.255.013.0.0.350track3
iproute5.0.0.0255.255.255.014.0.0.4100track4
!
ipaccess-liststandardVLAN_12
permit12.0.0.00.0.0.255
ipaccess-liststandardVLAN_21
permit21.0.0.00.0.0.255
!
ipsla3
icmp-echo13.0.0.3
frequency30
ipslaschedule3lifeforeverstart-timenow
ipsla4
icmp-echo14.0.0.4
frequency30
ipslaschedule4lifeforeverstart-timenow
!
route-mapTO_R3_NATpermit10
matchipaddressVLAN_12VLAN_21
matchinterfaceFastEthernet0/0
route-mapTO_R4_NATpermit10
matchipaddressVLAN_12VLAN_21
matchinterfaceFastEthernet0/1
---------我是分隔线----------
R2:
track3ipsla3
track4ipsla4
track50iproute5.0.0.0255.255.255.0reachability
!
interfaceLoopback0
ipaddress2.2.2.2255.255.255.255
interfaceFastEthernet0/0
ipaddress23.0.0.2255.255.255.0
ipnatoutside
interfaceFastEthernet0/1
ipaddress24.0.0.2255.255.255.0
ipnatoutside
interfaceFastEthernet1/0
ipaddress12.0.0.2255.255.255.0
ipnatinside
standby0preempt
standby12ip12.0.0.254
standby12track50decrement100
interfaceFastEthernet1/1
ipaddress21.0.0.2255.255.255.0
ipnatinside
standby21ip21.0.0.254
standby21priority150
standby21preempt
standby21track50decrement100
!
ipnatinsidesourceroute-mapTO_R3_NATinterfaceFastEthernet0/0overload
ipnatinsidesourceroute-mapTO_R4_NATinterfaceFastEthernet0/1overload
iproute5.0.0.0255.255.255.023.0.0.3100track3
iproute5.0.0.0255.255.255.024.0.0.450track4
!
ipaccess-liststandardVLAN_12
permit12.0.0.00.0.0.255
ipaccess-liststandardVLAN_21
permit21.0.0.00.0.0.255
!
ipsla3
icmp-echo23.0.0.3
frequency30
ipslaschedule3lifeforeverstart-timenow
ipsla4
icmp-echo24.0.0.4
frequency30
ipslaschedule4lifeforeverstart-timenow
!
route-mapTO_R3_NATpermit10
matchipaddressVLAN_12VLAN_21
matchinterfaceFastEthernet0/0
route-mapTO_R4_NATpermit10
matchipaddressVLAN_12VLAN_21
matchinterfaceFastEthernet0/1
!
---------我是分隔线----------
R3:
interfaceLoopback0
ipaddress3.3.3.3255.255.255.255
interfaceFastEthernet0/0
ipaddress13.0.0.3255.255.255.0
interfaceFastEthernet0/1
ipaddress23.0.0.3255.255.255.0
interfaceSerial1/0
ipaddress35.0.0.3255.255.255.0
encapsulationppp
!
routereigrp12345
passiveinterfaceFastEthernet0/0
passiveinterfaceFastEthernet0/1
passiveinterfaceLoopback0
network3.3.3.30.0.0.0
network13.0.0.30.0.0.0
network23.0.0.30.0.0.0
network35.0.0.30.0.0.0
eigrprouter-id3.3.3.3
---------我是分隔线---------- www.2cto.com
R4:
interfaceLoopback0
ipaddress4.4.4.4255.255.255.255
interfaceFastEthernet0/0
ipaddress14.0.0.4255.255.255.0
interfaceFastEthernet0/1
ipaddress24.0.0.4255.255.255.0
interfaceSerial1/0
ipaddress45.0.0.4255.255.255.0
encapsulationppp
!
routereigrp12345
passiveinterfaceFastEthernet0/0
passiveinterfaceFastEthernet0/1
passiveinterfaceLoopback0
network4.4.4.40.0.0.0
network14.0.0.40.0.0.0
network24.0.0.40.0.0.0
network45.0.0.40.0.0.0
eigrprouter-id4.4.4.4
!
---------我是分隔线----------
R5:
interfaceLoopback0
ipaddress5.5.5.5255.255.255.255
interfaceLoopback1
ipaddress5.0.0.1255.255.255.0
interfaceSerial1/0
ipaddress35.0.0.5255.255.255.0
encapsulationppp
interfaceSerial1/1
ipaddress45.0.0.5255.255.255.0
encapsulationppp
!
routereigrp12345
passiveinterfaceLoopback0
passiveinterfaceLoopback1
network5.0.0.10.0.0.0
network5.5.5.50.0.0.0
network35.0.0.50.0.0.0
network45.0.0.50.0.0.0
eigrprouter-id5.5.5.5
!
实验结果
本实验假设网关R1使用R3作为主路由,R2使用R4作为主路由。由于R1使用到SLA监控R3端口IP的可达性,因此先查看SLA状态: www.2cto.com
R1#showipslast
IPSLAsLatestOperationStatistics
IPSLAoperationid:3
Typeofoperation:icmp-echo
LatestRTT:56milliseconds
Latestoperationstarttime:*14:54:19.998UTCWedNov282012
Latestoperationreturncode:OK
Numberofsuccesses:7
Numberoffailures:0
Operationtimetolive:Forever
IPSLAoperationid:4
Typeofoperation:icmp-echo
LatestRTT:88milliseconds
Latestoperationstarttime:*14:54:22.966UTCWedNov282012
Latestoperationreturncode:OK
Numberofsuccesses:7
Numberoffailures:0
Operationtimetolive:Forever
要在静态路由中使用sla的状态,必须先用track跟踪sla状态:
R1#showtrack
Track3
IPSLA3state
StateisUp
40changes,lastchange00:03:10
Latestoperationreturncode:OK
LatestRTT(millisecs)56
Trackedby:
STATIC-IP-ROUTING0
Track4
IPSLA4state
StateisUp
31changes,lastchange00:03:10
Latestoperationreturncode:OK
LatestRTT(millisecs)88
Trackedby:
STATIC-IP-ROUTING0
Track50
IProute5.0.0.0255.255.255.0reachability
ReachabilityisUp(static)
8changes,lastchange00:02:56
First-hopinterfaceisFastEthernet0/0
Trackedby:
HSRPFastEthernet1/012
HSRPFastEthernet1/121
最后,检查R1的浮动静态路由是否正确使用到SLA返回的状态选择路由:
R1#showiproutest
Gatewayoflastresortisnotset
5.0.0.0/24issubnetted,1subnets
S5.0.0.0[50/0]via13.0.0.3
经过配置,在模拟互联网中不存在12.0.0.0/24和21.0.0.0/24两个内网IP地址段的情况下,客户端可正常连接到远端网段:
VPCS[1]ping5.0.0.1
5.0.0.1icmp_seq=1ttl=253time=109.375ms
5.0.0.1icmp_seq=2ttl=253time=125.000ms
5.0.0.1icmp_seq=3ttl=253time=109.375ms
5.0.0.1icmp_seq=4ttl=253time=140.625ms
5.0.0.1icmp_seq=5ttl=253time=140.625ms
由于R1使用ISP1(R3)作为主路由,因此经过R1的内网数据包被R1的NAT进程映射到R3所分配的IP地址。
R1NAT状态debug:
R1#
*Nov2815:35:30.918:NAT*:s=12.0.0.100-13.0.0.1,d=5.0.0.1[48835]
*Nov2815:35:30.966:NAT*:s=5.0.0.1,d=13.0.0.1-12.0.0.100[48835]
R1#
*Nov2815:35:32.026:NAT*:s=12.0.0.100-13.0.0.1,d=5.0.0.1[48836]
*Nov2815:35:32.134:NAT*:s=5.0.0.1,d=13.0.0.1-12.0.0.100[48836]
R1#
*Nov2815:35:33.154:NAT*:s=12.0.0.100-13.0.0.1,d=5.0.0.1[48837]
*Nov2815:35:33.226:NAT*:s=5.0.0.1,d=13.0.0.1-12.0.0.100[48837]
R1#
*Nov2815:35:34.278:NAT*:s=12.0.0.100-13.0.0.1,d=5.0.0.1[48838]
*Nov2815:35:34.382:NAT*:s=5.0.0.1,d=13.0.0.1-12.0.0.100[48838]
R1#
*Nov2815:35:35.430:NAT*:s=12.0.0.100-13.0.0.1,d=5.0.0.1[48839]
*Nov2815:35:35.522:NAT*:s=5.0.0.1,d=13.0.0.1-12.0.0.100[48839]
R1#
*Nov2815:36:31.190:NAT:expiring13.0.0.1(12.0.0.100)icmp50110(50110)
R1#
*Nov2815:36:32.214:NAT:expiring13.0.0.1(12.0.0.100)icmp50366(50366)
R1#
*Nov2815:36:33.238:NAT:expiring13.0.0.1(12.0.0.100)icmp50622(50622)
R1#
*Nov2815:36:34.774:NAT:expiring13.0.0.1(12.0.0.100)icmp50878(50878)
R1#
*Nov2815:36:35.798:NAT:expiring13.0.0.1(12.0.0.100)icmp51390(51390)
重头戏来了!必须验证R1能够在R3实效的情况下正确切换到R4。现在关闭R3的F0/0端口,并检查SLA3的返回情况:
R1#showipslast
IPSLAsLatestOperationStatistics
IPSLAoperationid:3
Typeofoperation:icmp-echo
LatestRTT:NoConnection/Busy/Timeout
Latestoperationstarttime:*15:35:49.994UTCWedNov282012
Latestoperationreturncode:Timeout
Numberofsuccesses:87
Numberoffailures:3
Operationtimetolive:Forever
同样,track3的状态随之改变: www.2cto.com
R1#showtrack
Track3
IPSLA3state
StateisDown
45changes,lastchange00:02:34
Latestoperationreturncode:Timeout
Trackedby:
STATIC-IP-ROUTING0
我们最为关心的路由表情况:
R1#showiproutest
Gatewayoflastresortisnotset
5.0.0.0/24issubnetted,1subnets
S5.0.0.0[100/0]via14.0.0.4
当然,测试连通性是最主要的:
VPCS[1]ping5.0.0.1
5.0.0.1icmp_seq=1ttl=253time=156.250ms
5.0.0.1icmp_seq=2ttl=253time=187.500ms
5.0.0.1icmp_seq=3ttl=253time=125.000ms
5.0.0.1icmp_seq=4ttl=253time=140.625ms
5.0.0.1icmp_seq=5ttl=253time=93.750ms
其实,由于R4没有R1-R3的路由,NAT肯定是以R1-R4的端口IP作转换的。以防万一,检查R1的NAT转换情况:
R1#
*Nov2815:39:22.970:NAT*:s=12.0.0.100-14.0.0.1,d=5.0.0.1[49067]
*Nov2815:39:23.106:NAT*:s=5.0.0.1,d=14.0.0.1-12.0.0.100[49067]
R1#
*Nov2815:39:24.182:NAT*:s=12.0.0.100-14.0.0.1,d=5.0.0.1[49068]
*Nov2815:39:24.322:NAT*:s=5.0.0.1,d=14.0.0.1-12.0.0.100[49068]
R1#
*Nov2815:39:25.350:NAT*:s=12.0.0.100-14.0.0.1,d=5.0.0.1[49069]
*Nov2815:39:25.446:NAT*:s=5.0.0.1,d=14.0.0.1-12.0.0.100[49069]
R1#
*Nov2815:39:26.494:NAT*:s=12.0.0.100-14.0.0.1,d=5.0.0.1[49070]
*Nov2815:39:26.590:NAT*:s=5.0.0.1,d=14.0.0.1-12.0.0.100[49070]
R1#
*Nov2815:39:27.634:NAT*:s=12.0.0.100-14.0.0.1,d=5.0.0.1[49071]
*Nov2815:39:27.690:NAT*:s=5.0.0.1,d=14.0.0.1-12.0.0.100[49071]
R1#
*Nov2815:40:23.250:NAT:expiring14.0.0.1(12.0.0.100)icmp43967(43967)
R1#
*Nov2815:40:24.786:NAT:expiring14.0.0.1(12.0.0.100)icmp44223(44223)
R1#
*Nov2815:40:25.810:NAT:expiring14.0.0.1(12.0.0.100)icmp44735(44735)
R1#
*Nov2815:40:26.834:NAT:expiring14.0.0.1(12.0.0.100)icmp44991(44991)
R1#
*Nov2815:40:27.858:NAT:expiring14.0.0.1(12.0.0.100)icmp45247(45247)
相关文章
图文推荐
- 文章
- 推荐
- 热门新闻