实验环境:
GNS3 1.0 + i86bi-linux-l3-adventerprisek9-15.4.1T拓扑中
R4、R5分别模拟不同运营商(ISP_A和ISP_B)的两台路由,经过运营商的链路到达因特网中的R2,R2的lo0端口模拟网站服务器
R3模拟本地PC,其中e0/0口和lo0口分别模拟两台不同网段的pc
R1为本地边界路由,需要在此路由上做双出口的策略及NAT,默认adventerprisek9-15.4.1T 设备的内存较小,实验中会报错,所以请先更改R1的内存
实验目的:
通过策略路由后对不同原地址数据流量进行分流,使得不同原地址主机通过不同ISP接口访问Internet,并为不同原地址主机同不同NAT地址进行转换。
当网络链接正常时,网段1(172.16.1.0/24)通过ISP_A到达2.2.2.2,,网段2(172.16.2.0/24)通过 ISP_B到达2.2.2.2 ,达到负载均衡的目的。当ISP_A或ISP_B其中一条链路出现故障时,能实现自动切换达到备份目的。
知识点:
思科路由器一般不用作nat,因为CPU利用率太高。但如果小型企业在内网用户数不多的情况下,防火墙成本较高,如果以现有路由器作上网设备,也是一个经济的选择。在适当的配置下,还能实现灵活的路由策略及nat策略。以下介绍相关的配置命令及实现方法。 NAT相关的配置命令工具介绍。 1、ACL ACL是用来定义内网上网用户的工具,可以是标准ACL,也可以是扩展ACL;当需要使用到route-map时,它是定义地位范围的工具。 2、route-map route-map是灵活控制路由策略及NAT策略的有力工具。 3、NAT配置策略 接口命令:ip nat inside、ip nat outside 全局命令:ip nat inside source route-map interface int_name overlaod 4、路由配置策略 接口命令:ip policy route-map name
实验步骤:
一 、按照拓扑配置各路由接口IP和路由协议,其中R4、R5、R2运行OSPF area0 ,R2的回环地址2.2.2.2作为internet的服务器做测试使用。
配置R3:
R3(config)#interface e0/0
R3(config-if)#ip address 172.16.1.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#interface lo0
R3(config-if)#ip address 172.16.2.3 255.255.255.0
R3(config-if)#
R3(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
配置R1:
R1(config)#interface e0/0
R1(config-if)#description to LAN
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#interface s1/0
R1(config-if)#description to ISP_B
R1(config-if)#ip address 15.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#interface s1/1
R1(config-if)#description to ISP_A
R1(config-if)#ip address 14.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 14.1.1.4
R1(config)#ip route 0.0.0.0 0.0.0.0 15.1.1.5
R1(config)#ip route 172.16.2.0 255.255.255.0 172.16.1.3 ###到达LAN 172.16.2.0的回程路由
R1(config)#
配置R4:
R4(config)#interface s1/1
R4(config-if)#ip address 24.1.1.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#interface s1/0
R4(config-if)#ip address 14.1.1.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#exit
R4(configf)#router ospf 4
R4(config-router)#network 0.0.0.0 255.255.255.255 area 0
配置R5:
R5(config)#interface s1/0
R5(config-if)#ip address 25.1.1.5 255.255.255.0
R5(config-if)#no sh
R5(config-if)#interface s1/1
R5(config-if)#ip address 15.1.1.5 255.255.255.0
R5(config-if)#no sh
R5(config-if)#exit
R5(config)#router ospf 5
R5(config-router)#network 0.0.0.0 255.255.255.255 area 0
配置R2:
R2(config)#interface lo0
R2(config-if)#ip address 2.2.2.2 255.255.255.255
R2(config-if)#interface s1/0
R2(config-if)#ip address 24.1.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#interface s1/1
R2(config-if)#ip address 25.1.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#router ospf 2
R2(config-router)#network 0.0.0.0 255.255.255.255 area 0
R2(config-router)#
*Aug 13 10:58:47.840: %OSPF-5-ADJCHG: Process 2, Nbr 25.1.1.5 on Serial1/1 from LOADING to FULL, Loading Done
*Aug 13 10:58:47.841: %OSPF-5-ADJCHG: Process 2, Nbr 24.1.1.4 on Serial1/0 from LOADING to FULL, Loading Done
二 、验证基本配置
R3:
R3#show ip interface br
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 172.16.1.3 YES manual up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Loopback0 172.16.2.3 YES manual up up
R3#show ip route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.1
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Ethernet0/0
L 172.16.1.3/32 is directly connected, Ethernet0/0
C 172.16.2.0/24 is directly connected, Loopback0
L 172.16.2.3/32 is directly connected, Loopback0
R3#
R1:
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 172.16.1.1 YES manual up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Serial1/0 15.1.1.1 YES manual up up
Serial1/1 14.1.1.1 YES manual up up
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
R1#show ip route
Gateway of last resort is 15.1.1.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 15.1.1.5
[1/0] via 14.1.1.4
14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 14.1.1.0/24 is directly connected, Serial1/1
L 14.1.1.1/32 is directly connected, Serial1/1
15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 15.1.1.0/24 is directly connected, Serial1/0
L 15.1.1.1/32 is directly connected, Serial1/0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Ethernet0/0
L 172.16.1.1/32 is directly connected, Ethernet0/0
S 172.16.2.0/24 [1/0] via 172.16.1.3
R1#
R4:
R4#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:38 24.1.1.2 Serial1/1
R4#show ip route
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/65] via 24.1.1.2, 00:09:27, Serial1/1
14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 14.1.1.0/24 is directly connected, Serial1/0
L 14.1.1.4/32 is directly connected, Serial1/0
15.0.0.0/24 is subnetted, 1 subnets
O 15.1.1.0 [110/192] via 24.1.1.2, 00:09:17, Serial1/1
24.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 24.1.1.0/24 is directly connected, Serial1/1
L 24.1.1.4/32 is directly connected, Serial1/1
25.0.0.0/24 is subnetted, 1 subnets
O 25.1.1.0 [110/128] via 24.1.1.2, 00:09:27, Serial1/1
R5:
R5#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:39 25.1.1.2 Serial1/0
R5#show ip route
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/65] via 25.1.1.2, 00:12:50, Serial1/0
14.0.0.0/24 is subnetted, 1 subnets
O 14.1.1.0 [110/192] via 25.1.1.2, 00:12:40, Serial1/0
15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 15.1.1.0/24 is directly connected, Serial1/1
L 15.1.1.5/32 is directly connected, Serial1/1
24.0.0.0/24 is subnetted, 1 subnets
O 24.1.1.0 [110/128] via 25.1.1.2, 00:12:50, Serial1/0
25.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 25.1.1.0/24 is directly connected, Serial1/0
L 25.1.1.5/32 is directly connected, Serial1/0
R2:
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
25.1.1.5 0 FULL/ - 00:00:38 25.1.1.5 Serial1/1
24.1.1.4 0 FULL/ - 00:00:32 24.1.1.4 Serial1/0
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial0/0 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Serial1/0 24.1.1.2 YES manual up up
Serial1/1 25.1.1.2 YES manual up up
Serial1/2 unassigned YES unset administratively down down
Serial1/3 unassigned YES unset administratively down down
Loopback0 2.2.2.2 YES manual up up
R2#
连通性测试:
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/61/63 ms
三 、在R1上配置NAT协议
1、配置ACL,定义允许NAT转换的流量:
R1(config)#access-list 1 permit 172.16.1.0 0.0.0.255
R1(config)#access-list 2 permit 172.16.2.0 0.0.0.255
R1(config)#
2、指定内部、外部接口:
R1(config)#interface e0/0
R1(config-if)#ip nat inside
R1(config-if)#interface s1/1
R1(config-if)#ip nat outside
R1(config-if)#interface s1/0
R1(config-if)#ip nat outside
使用IOU设备配置nat时,此时如果报错如下错误,是因为默认存储空间不足,WR保存当前配置后,停止R1,增加设备内存即可:
Regex parse error, please reconfigure!
% NBAR Error: Activation failed due to insufficient Dynamic Memory
% NBAR Error: Stile could not add protocol node
%NAT: Error activating CNBAR on the interface Ethernet0/0
3、配置route-map:
R1(config)#route-map bearmr1 permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#match interface s1/1
R1(config-route-map)#exit
####定义route-map bearmr1的两个匹配条件,其中match interface s1/1意思为接口s1/1 up或down的情况,up为匹配,当两个条件都匹配时执行下列转换:ip nat insde source route-map bearmr1 interface s1/1 overload
R1(config)#route-map bearmr2 permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#exit
####定义route-map bearmr2的匹配条件,匹配时执行下列转换:ip nat insde source route-map bearmr2 interface s1/1 overload
R1(config)#route-map bearmr3 permit 10
R1(config-route-map)#match ip address 2
R1(config-route-map)#match interface s1/0
R1(config-route-map)#exit
####定义route-map bearmr3的两个匹配条件,其中match interface s1/0意思为接口s1/0 up或down的情况,up为匹配,当两个条件都匹配时执行下列转换:ip nat insde source route-map bearmr3 interface s1/0 overload
R1(config)#route-map bearmr4 permit 10
R1(config-route-map)#match ip address 2
R1(config-route-map)#exit
####定义route-map bearmr4的匹配条件,匹配时执行下列转换:ip nat insde source route-map bearmr4 interface s1/1 overload
4、配置NAT关联,调用以上配置的router-map
R1(config)#ip nat inside source route-map bearmr1 interface s1/1 overload
### route-map bearmr1应用到NAT里,如果匹配条件,流量(172.16.1.0/24)从s1/1接口出去,通过ISP_A到达internet,如果s1/1接口down,则流量从s1/0接口出去,通过ISP_B到达internet
R1(config)#ip nat inside source route-map bearmr2 interface s1/0 overload
###如果s1/1接口down,流量(172.16.1.0/24)从s1/0出去,通过ISP_B到达internet
R1(config)#ip nat inside source route-map bearmr3 interface s1/0 overload
### route-map bearmr3应用到NAT里,如果匹配条件,流量(172.16.2.0/24)从s1/0接口出去,通过ISP_B到达internet,如果s1/0接口down,则流量从s1/1接口出去,通过ISP_A到达internet
R1(config)#ip nat inside source route-map bearmr4 interface s1/1 overload
###如果s1/0接口down,流量(172.16.2.0/24)从s1/1出去,通过ISP_A到达internet
5、配置PBR(基于策略的路由)
R1(config)#route-map bearmr permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#matnterface s1/1
R1(config-route-map)#match interface s1/1
R1(config-route-map)#set interface s1/1
R1(config-route-map)#exit
###定义route-map bearmr,当两个match的条件成立时执行set的动作
R1(config)#route-map bearmr permit 20
R1(config-route-map)#match ip address 2
R1(config-route-map)#match interface s1/0
R1(config-route-map)#set interface s1/0
R1(config-route-map)#exit
###定义route-map bearmr,当两个match的条件成立时执行set的动作
6、在R1的s0/0入方向应用PBR
R1(config)#interface e0/0
R1(config-if)#ip policy route-map bearmr
R1(config-if)#end
R1#
再来查看一些基本信息:
R1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 18, occurred 00:23:35 ago
Outside interfaces:
Serial1/0, Serial1/1
Inside interfaces:
Ethernet0/0
Hits: 146 Misses: 0
CEF Translated packets: 116, CEF Punted packets: 30
Expired translations: 44
Dynamic mappings:
– Inside Source
[Id: 1] route-map bearmr1 interface Serial1/1 refcount 0
[Id: 2] route-map bearmr2 interface Serial1/0 refcount 0
[Id: 5] route-map bearmr3 interface Serial1/0 refcount 0
[Id: 4] route-map bearmr4 interface Serial1/1 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
四、测试
1、在R1上打开debug
R1#debug ip nat
IP NAT debugging is on
2、在R3上ping internet,源地址为172.16.2.3
R3#ping 2.2.2.2 source 172.16.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/20 ms
在R1上查看NAT转换信息:
R1#
*Aug 13 14:54:16.887: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [0] ###源地址被转换成S1/1的接口地址
*Aug 13 14:54:16.908: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [0]
*Aug 13 14:54:16.909: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [1]
*Aug 13 14:54:16.928: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [1]
*Aug 13 14:54:16.928: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [2]
*Aug 13 14:54:16.947: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [2]
*Aug 13 14:54:16.948: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [3]
*Aug 13 14:54:16.967: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [3]
*Aug 13 14:54:16.967: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [4]
*Aug 13 14:54:16.987: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [4]
3、在R3上ping internet,源地址为172.16.2.3
R3#ping 2.2.2.2 source 172.16.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 19/25/48 ms
在R1上查看NAT转换信息:
R1#
*Aug 13 15:30:54.631: NAT*: s=172.16.2.3->14.1.1.1, d=2.2.2.2 [20] ###源地址被转换成S1/1的接口地址
*Aug 13 15:30:54.652: NAT*: s=2.2.2.2, d=14.1.1.1->172.16.2.3 [20]
*Aug 13 15:30:54.653: NAT*: s=172.16.2.3->14.1.1.1, d=2.2.2.2 [21]
*Aug 13 15:30:54.673: NAT*: s=2.2.2.2, d=14.1.1.1->172.16.2.3 [21]
*Aug 13 15:30:54.674: NAT*: s=172.16.2.3->14.1.1.1, d=2.2.2.2 [22]
*Aug 13 15:30:54.693: NAT*: s=2.2.2.2, d=14.1.1.1->172.16.2.3 [22]
*Aug 13 15:30:54.694: NAT*: s=172.16.2.3->14.1.1.1, d=2.2.2.2 [23]
*Aug 13 15:30:54.714: NAT*: s=2.2.2.2, d=14.1.1.1->172.16.2.3 [23]
*Aug 13 15:30:54.714: NAT*: s=172.16.2.3->14.1.1.1, d=2.2.2.2 [24]
*Aug 13 15:30:54.733: NAT*: s=2.2.2.2, d=14.1.1.1->172.16.2.3 [24]
4、通过traceroute命令跟踪到达2.2.2.2所经过的路径信息
R R3#traceroute 2.2.2.2 source 172.16.1.3 ###源地址172.16.1.3
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 7 msec 1 msec 1 msec
2 15.1.1.5 11 msec 11 msec 11 msec ####通过ISP_B到达
3 25.1.1.2 21 msec 17 msec *
R3#traceroute 2.2.2.2 source 172.16.2.3 ###源地址172.16.2.3
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 1 msec 2 msec 6 msec
2 14.1.1.4 10 msec 6 msec 11 msec ####通过ISP_A到达
3 24.1.1.2 18 msec 20 msec *
通过以上测试可以得到结果:网段172.16.2.0/24通过ISP_A到达2.2.2.2
网段172.16.1.0/24通过ISP_B到达2.2.2.2
不指定源地址在测试一次:
R3#traceroute 2.2.2.2
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 2 msec 1 msec 6 msec
2 15.1.1.5 11 msec 11 msec 11 msec ###默认情况下通过ISP_B
3 25.1.1.2 20 msec 22 msec *
五 、手工关闭R1的s1/1接口,模拟链路故障
R1(config)#interface s1/1
R1(config-if)#shutdown
1、在R3上ping 2.2.2.2,使用源地址172.16.1.2
R3#ping 2.2.2.2 source 172.16.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/27 ms
在R1上查看NAT转换信息:
R1#
*Aug 13 15:46:26.979: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Aug 13 15:47:50.944: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [30] ###源地址被转换成S1/0的接口地址
*Aug 13 15:47:50.965: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [30]
*Aug 13 15:47:50.965: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [31]
*Aug 13 15:47:50.985: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [31]
*Aug 13 15:47:50.985: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [32]
*Aug 13 15:47:51.006: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [32]
*Aug 13 15:47:51.006: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [33]
*Aug 13 15:47:51.026: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [33]
*Aug 13 15:47:51.026: NAT*: s=172.16.1.3->15.1.1.1, d=2.2.2.2 [34]
*Aug 13 15:47:51.047: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.1.3 [34]
*Aug 13 15:48:51.978: NAT: expiring 15.1.1.1 (172.16.1.3) icmp 6 (6)
2、在R3上ping 2.2.2.2,使用源地址172.16.2.2
R3#ping 2.2.2.2 source 172.16.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.3
!!!!!
在R1上查看NAT转换信息:
R1#
*Aug 13 15:50:14.814: NAT*: s=172.16.2.3->15.1.1.1, d=2.2.2.2 [35] ###源地址被转换成S1/0的接口地址
*Aug 13 15:50:14.834: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.2.3 [35]
*Aug 13 15:50:14.834: NAT*: s=172.16.2.3->15.1.1.1, d=2.2.2.2 [36]
*Aug 13 15:50:14.854: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.2.3 [36]
*Aug 13 15:50:14.854: NAT*: s=172.16.2.3->15.1.1.1, d=2.2.2.2 [37]
*Aug 13 15:50:14.874: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.2.3 [37]
*Aug 13 15:50:14.874: NAT*: s=172.16.2.3->15.1.1.1, d=2.2.2.2 [38]
*Aug 13 15:50:14.894: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.2.3 [38]
*Aug 13 15:50:14.895: NAT*: s=172.16.2.3->15.1.1.1, d=2.2.2.2 [39]
*Aug 13 15:50:14.914: NAT*: s=2.2.2.2, d=15.1.1.1->172.16.2.3 [39]
*Aug 13 15:51:15.649: NAT: expiring 15.1.1.1 (172.16.2.3) icmp 7 (7)
3、通过traceroute命令跟踪到达2.2.2.2所经过的路径信息
R3#traceroute 2.2.2.2 source 172.16.1.3
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 1 msec 1 msec 9 msec
2 15.1.1.5 6 msec 10 msec 10 msec ####通过ISP_B到达
3 25.1.1.2 20 msec 16 msec *
R3#traceroute 2.2.2.2 source 172.16.2.3
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 4 msec 2 msec 1 msec
2 15.1.1.5 11 msec 11 msec 10 msec ####通过ISP_B到达
3 25.1.1.2 21 msec 21 msec *
通过以上测试可以得到结果:网段172.16.2.0/24通过ISP_B到达2.2.2.2
网段172.16.1.0/24通过ISP_B到达2.2.2.2
R1#clear access-list counters
R3#ping 2.2.2.2 so e0/0 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.3
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 20/20/20 ms
R3#ping 2.2.2.2 so l0 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.3
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 20/20/20 ms
R1#sh access-l
Standard IP access list 1
10 permit 172.16.1.0, wildcard bits 0.0.0.255 (3 matches)
Standard IP access list 2
10 permit 172.16.2.0, wildcard bits 0.0.0.255 (2 matches)
access list 1 命中了3次,是一次策略路由、一次ICMP 请求时的NAT,一次ICMP回应的NAT。
access list 2 命中了2次,是走的默认路由,一次ICMP 请求时的NAT,一次ICMP回应的NAT。
结果证明,虽然ISP_A的链路发生了故障,但是流量可以通过ISP_B到达2.2.2.2internet,实现链路切换和备份功能。
六 、实验完成
打开ISP_A的链路接口
R1(config)#inter s1/1
R1(config-if)#no sh
附详细配置:
链接:http://pan.baidu.com/s/1sj1542T 密码:pfuj