问题源自91LAB论坛上一位网友的提问,自己就作了这个试验.转载请写明来源http://www.mycisco.cn.谢谢.
此实验存在一个问题,即2条静态路由无效有效控制选路.正因为静态路由的问题导致了route-map匹配有时不按照期望的那样去匹配.看这个实验,权当是进行排错了.如果能准确找到错误原因和原理也不枉花费的时间.......
这个地址是一个解决方法http://www.mycisco.cn/post/152.html
不过最好看完这个有问题的试验,再看上面的地址比较容易明白
r4#sh run
Building configuration...
Current configuration : 1639 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/1
ip address 192.168.2.4 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 20.0.0.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
match ip address 100
match interface Serial1/0
!
route-map toisp2 permit 10
match ip address 101
match interface Serial1/1
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end
============以上是原始配置From:http://www.mycisco.cn 纳米========
实现192.168.1.0/24网段走ISP1 被转成10.0.0.1
实现192.168.2.0/24网段走ISP2 被转成20.0.0.1
但存在一个问题,即当S0/1或S0/2 down掉后,NAT就失败了,因为不符合ROUTE-MAP的条件了,见测试:
(关掉了S1/0)
r4#ping
Protocol [ip]:
Target IP address: 10.10.10.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.4
.....
Success rate is 0 percent (0/5)
r4#sh ip nat translations 为空,没有发生转换。
=======
上面没有实现一个ISP接口坏掉,另一个顶上。
于是想了一个这样的方法,给每个网段再配一个ROUTE-MAP:还匹配原来的ACL,但匹配的接口是另一个连接ISP的接口,这样一个坏了,还有一个能匹配。
先做192.168.1.0/24网段的测试看看,见以下配置:
r4#sh run
Building configuration...
Current configuration : 1639 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/1
ip address 192.168.2.4 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 20.0.0.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp1-2 pool isp2 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
match ip address 100
match interface Serial1/0
!
route-map toisp2 permit 10
match ip address 101
match interface Serial1/1
!
route-map toisp1-2 permit 10
match ip address 100
match interface Serial1/1
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end
=====
看测试结果,此时S1/0仍然是关闭的:
r4#ping
Protocol [ip]:
Target IP address: 10.10.10.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout
is 2 seconds:
Packet
sent with a source address of 192.168.1.4
.....
Success rate is 0 percent (0/5)
r4#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 20.0.0.1:14 192.168.1.4:14 10.10.10.10:14 10.10.10.10:14
注意上面为什么不通!因为这个时候NAT所用的接口池已经是S1/1接口上的了,而我是环境,与S1/1连接的路由器上面没有10.10.10.10这个地址.
From:http://www.mycisco.cn 纳米
看上面的NAT转换表可以证明,发生了转换,而且是用的另一个接口.同理,继续配上192.168.2.0/24网段的备份并测试,配置及测试见下:
r4#sh run
Building configuration...
Current configuration : 1768 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
!
ip subnet-zero
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/1
ip address 192.168.2.4 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial1/1
ip address 20.0.0.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat pool isp1 10.0.0.1 10.0.0.1 prefix-length 24
ip nat pool isp2 20.0.0.1 20.0.0.1 prefix-length 24
ip nat inside source route-map toisp1 pool isp1 overload
ip nat inside source route-map toisp1-2 pool isp2 overload
ip nat inside source route-map toisp2 pool isp2 overload
ip nat inside source route-map toisp2-1 pool isp1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.3
ip route 0.0.0.0 0.0.0.0 20.0.0.5
ip http server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map toisp1 permit 10
match ip address 100
match interface Serial1/0
!
route-map toisp2 permit 10
match ip address 101
match interface Serial1/1
!
route-map toisp1-2 permit 10
match ip address 100
match interface Serial1/1
!
route-map toisp2-1 permit 10
match ip address 101
match interface Serial1/0
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end
r4#ping
Protocol [ip]:
Target IP address: 20.20.20.20
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/36 ms
r4#
r4#sh ip nat
r4#sh ip nat trans
r4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 20.0.0.1:16 192.168.2.4:16 20.20.20.20:16 20.20.20.20:16
=====
上面说明,当S1/1正常的时候,是走的正常的转换,没有使用到备份ISP.
r4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r4(config)#int s1/1 '关闭S1/1准备检验
r4(config-if)#shu
r4(config-if)#end
r4#ping
Protocol [ip]:
01:33:28: %SYS-5-CONFIG_I: Configured from console by console
01:33:29: %LINK-5-CHANGED: Interface Serial1/1, changed state to administratively down
01:33:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down
Target IP address: 20.20.20.20
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.4
.....
Success rate is 0 percent (0/5)
r4#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 10.0.0.1:17 192.168.2.4:17 20.20.20.20:17 20.20.20.20:17
====
看,关闭S1/1,本来是走ISP2所连的接口的,现在被转成了ISP1所连的S1/0接口的地址.当然上面不通是正常的,理由如上面一样,因为是测试环境,ISP1上没有10.10.10.10的地址.
继续深挖,上面的配置看上去好像没有问题,实际上它是正好利用了4个ROUTE-MAP的顺序,因为CISCO路由器在进行有ROUTE-MAP的NAT的时候,是先查ROUTE-MAP的,如果当前ROUTE-MAP里的条件都匹配,那么路由器就会使用调用了该ROUTE-MAP的那条NAT语句,所以这个配置才实现了2个接口都正常时,各个网段走各自的ISP,一旦某个接口DOWN,就走另一个ISP.
对于CISCO路由器到底是不是真的按照先ROUTE-MAP,由ROUTE-MAP再检查ACL这样的顺序,请访问这个地址看试验证明.
另:那个证明的试验是CISCO2500系列下作的,IOS是12.3的非企业版.这次我用的是DYnamips 3620, 12.2非企业版IOS.两次试验都证明了是按照ROUTE-MAP-->ACL的顺序,但是两次也稍微有些不同,2500系列作的ROUTE-MAP排序是按照ROUTE-MAP的名称的字母顺序排的,而这次3620做的,大家看,是按照我配置的先后顺序排的(我实际测试了下,确实是按照配置顺序配的),
这个在实际作的时候应该注意.因为顺序不一样了,很可能就造成本来想192.168.1.0/24走的ISP1,却因为走ISP2(备份)的配置在最前面而导致每次都走ISP2.
(后补充,超级郁闷,不具体说了,大家测试下,在不同IOS上,将上面的配置编辑下,然后复制进去,测试测试看看那几个ROUTE-MAP到底是怎么排序的,我测试ISP1-2,ISP2-1位置可以对调
但想让ISP1-2排最上面,始终不行,复制进去后,一SHOW,就又变成我上面的正常顺序了.晕了,大家测试测试看看吧,把结果留言到这里,感谢!)
对这样的需求,解决办法肯定还有别的,更好的方法,我总觉得,我这样的配置处理效率不是很高(甚至还有我没有想到的错误),请大家到这里留言提出其他方法,一起学习下.
巧用route-map顺序实现不同网段走不同ISP,且互备实验.pdf
文章评论
ip nat inside source route-map toisp1 pool isp1 overload(原命令)
ip nat inside source route-map toisp1 pool isp2 overload,如果改成这样,所产生的结果,与理论相违背。
帮忙看一下