热备份加nat转换及端口跟踪
实验环境:一台防火墙,两台pc机,两台路由器,两台交换机(连接外网的可以使防火墙可以使路由器)
配置防火墙:
[r1]fire packet default permit
[r1]firewall zone trust
[r1-zone-trust]add inter e0/0
[r1-zone-trust]add inter e0/1
[r1-zone-trust]add inter e0/2
[r1-zone-trust]inter eth0/0
[r1-Ethernet0/0]ip address 192.168.5.1 255.255.255.0
[r1-Ethernet0/0]inter eth0/1
[r1-Ethernet0/1]ip address 192.168.4.1 255.255.255.0
[r1-zone-trust]inter eth0/2
[r1-Ethernet0/2]ip address 192.168.3.1 255.255.255.0
[r1-Ethernet0/2]loopback
配置r2:
[r2-Ethernet0]inter e1
[r2-Ethernet1]ip address 192.168.4.2 255.255.255.0
[r2-Ethernet0]inter e0.10
[r2-Ethernet0.10]vlan-type dot1q vid 10
[r2-Ethernet0.10]ip address 192.168.10.1 255.255.255.0
[r2-Ethernet0.10]inter e0.20
[r2-Ethernet0.20]vlan-type dot1q vid 20
[r2-Ethernet0.20]ip address 192.168.20.1 255.255.255.0
配置静态路由:
[r2]ip route 0.0.0.0 0.0.0.0 192.168.4.1
R2做nat转换:
[r2]acl 2000
[r2-acl-2000]rule permit source any
[r2]inter e1
[r2-Ethernet1]nat outbound 2000 interface
配置r3:
[r3]ip route 0.0.0.0 0.0.0.0 192.168.5.1
[r3]inter e0
[r3-Ethernet0]ip address 192.168.5.2 255.255.255.0
[r3-Ethernet0]
%01:20:09: Line protocol ip on the interface Ethernet0 is UP
[r3-Ethernet0]undo shut
[r3]inter eth1.10
[r3-Ethernet1.10]vlan-type do1q vid 10
Incorrect command
[r3-Ethernet1.10]vlan-type dot1q vid 10
[r3-Ethernet1.10]ip address 192.168.10.2 255.255.255.0
[r3-Ethernet1.10]inter eth0.20
[r3-Ethernet1.20]vlan-type dot1q vid 20
[r3-Ethernet1.20]ip address 192.168.20.2 255.255.255.0
Nat转换:
[r3]acl 2000
[r3-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[r3-acl-2000]inter e0
[r3-Ethernet0]nat outbound 2000 interface
Sw1配置:
[sw1]vlan 10
[sw1-vlan10]port e0/10
[sw1-vlan10]vlan 20
[sw1-vlan20]port e0/20
[sw1]inter e0/1
[sw1-Ethernet0/1]port link-type trunk
[sw1-Ethernet0/1]port trunk permit vlan all
Please wait........................................... Done.
[sw1-Ethernet0/5]port link-type trunk
[sw1-Ethernet0/5]port trunk permit vlan all
Please wait........................................... Done.
Sw2配置:
[sw2]vlan 10
[sw2-vlan10]port e0/10
[sw2-vlan10]vlan 20
[sw2-vlan20]port e0/20
[sw2]inter e0/1
[sw2-Ethernet0/1]port link-type trunk
[sw2-Ethernet0/1]port trunk permit vlan all
Please wait........................................... Done.
[sw2-Ethernet0/5]port link-type trunk
[sw2-Ethernet0/5]port trunk permit vlan all
Please wait........................................... Done.
用pc机(vlan10—192.168.10.100)测试:
C:\Users\Administrator>ping 192.168.10.1
正在 Ping 192.168.10.1 具有 32 字节的数据:
来自 192.168.10.1 的回复: 字节=32 时间<1ms TTL=255
来自 192.168.10.1 的回复: 字节=32 时间<1ms TTL=255
来自 192.168.10.1 的回复: 字节=32 时间<1ms TTL=255
来自 192.168.10.1 的回复: 字节=32 时间<1ms TTL=255
192.168.10.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
C:\Users\Administrator>ping 192.168.3.1
正在 Ping 192.168.3.1 具有 32 字节的数据:
来自 192.168.3.1 的回复: 字节=32 时间=2ms TTL=254
来自 192.168.3.1 的回复: 字节=32 时间=2ms TTL=254
来自 192.168.3.1 的回复: 字节=32 时间=2ms TTL=254
来自 192.168.3.1 的回复: 字节=32 时间=3ms TTL=254
192.168.3.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 2ms,最长 = 3ms,平均 = 2ms
说明nat转换成功
测试:
C:\Documents and Settings\杨震宇>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=2ms TTL=254
Reply from 192.168.3.1: bytes=32 time=2ms TTL=254
Reply from 192.168.3.1: bytes=32 time=3ms TTL=254
Reply from 192.168.3.1: bytes=32 time=4ms TTL=254
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 4ms, Average = 2ms
测试成功,说明nat转换成功。
在
进入r2:
[r2]inter eth0.10
[r2-Ethernet0.10]vrrp vrid 10 virtual-ip 192.168.10.254 (做虚拟路由)
[r2-Ethernet0.10]inter eth0.20
[r2-Ethernet0.20]vrrp vrid 20 virtual-ip 192.168.20.254 (做虚拟路由)
[r2-Ethernet0.20]inter eth0.10
[r2-Ethernet0.10]vrrp vrid 10 priority 120 (设置优先级为120)
[r2-Ethernet0.10]vrrp vrid 10 preempt (设置抢占)
[r2-Ethernet0.10]vrrp vrid 10 track eth0.10 reduced 30 (设置为一旦被抢占优先级自动减30)
[r2-Ethernet0.10]inter e0.20
[r2-Ethernet0.20]vrrp vrid 20 preempt(设置抢占
进入r3:
[r3]inter e1.10
[r3-Ethernet1.10]vrrp vrid 10 virtual 192.168.10.254(做虚拟路由)
[r3-Ethernet1.10]inter e0
%02:29:07: Interface Ethernet1 is DOWN.20
[r3-Ethernet1.20]inter e0.20
[r3-Ethernet1.20]
%02:29:12: Interface Ethernet1 is UP
[r3-Ethernet1.20]vrrp vrid 20 priority 120 (设置优先级为120)
[r3-Ethernet1.20]vrrp vrid 20 virtual 192.168.20.254(做虚拟路由)
[r3-Ethernet1.20]vrrp vrid 20 preempt(设置抢占)
[r3-Ethernet1.20]vrrp vrid 20 track e1.20 reduced 30(设置为一旦被抢占优先级自动减30)
[r3-Ethernet1.20]inter e1.10
[r3-Ethernet1.10]vrrp vrid 10 preempt(设置抢占
R3上显示vrrp:
[r3]dis vrrp
Ethernet1.20 | Virtual Router 20
state : Master
Virtual IP : 192.168.20.254
Priority : 120
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Ethernet1.20 Priority reduced : 30
Ethernet1.10 | Virtual Router 10
state : Backup
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
R2上显示vrrp:
[r2]dis vrrp
Ethernet0.10 | Virtual Router 10
state : Master
Virtual IP : 192.168.10.254
Priority : 120
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Ethernet0.10 Priority reduced : 10
Ethernet0.20 | Virtual Router 20
state : Backup
Virtual IP : 192.168.20.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Vlan10(192.168.10.100)访问192.168.20.100
C:\Users\Administrator>tracert 192.168.20.100
通过最多 30 个跃点跟踪
到 杨震宇 [192.168.20.100] 的路由:
1 1 ms 1 ms <1 毫秒 192.168.10.1
2 <1 毫秒 <1 毫秒 <1 毫秒 杨震宇 [192.168.20.100]
跟踪完成。
关闭r2上e1接口继续测试:
10.100ping20.100:
C:\Users\Administrator>tracert 192.168.20.100
通过最多 30 个跃点跟踪
到 杨震宇 [192.168.20.100] 的路由:
1 <1 毫秒 <1 毫秒 <1 毫秒 192.168.10.2
2 <1 毫秒 <1 毫秒 <1 毫秒 杨震宇 [192.168.20.100]
跟踪完成。
用vlan20 192.168.20.100ping192.168.10.100
C:\Documents and Settings\杨震宇>tracert 192.168.10.100
Tracing route to 192.168.10.100 over a maximum of 30 hops
1 2 ms <1 ms <1 ms 192.168.20.2
2 1 ms <1 ms 1 ms 192.168.10.100
Trace complete.
把r3的e1口关闭:
用vlan20 192.168.20.100ping192.168.10.100
C:\Documents and Settings\杨震宇>tracert 192.168.10.100
Tracing route to 192.168.10.100 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.20.1
2 <1 ms <1 ms <1 ms 192.168.10.100
Trace complete.
在测试r3vrrp:
[r3-Ethernet1]dis vrrp
Ethernet1.20 | Virtual Router 20
state : Initialize (因为是关闭e1所以这样显示)
Virtual IP : 192.168.20.254
Priority : 90 (优先级减少30)
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO
Track IF : Ethernet1.20 Priority reduced : 30
Ethernet1.10 | Virtual Router 10
state : Initialize
Virtual IP : 192.168.10.254
Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NO