基于源的route-mapNAT

网关有多出口，且欲实现负载（或者区分数据类型指定出口）并互为备份，这种流量分担的思想就是将不同地址或不同数据扔到不同出口，再以满足出口为先决条件，为所有内部地址提供NATIP地址段如图Part1：基于源地址的route-mapNATR1ISP1:enableconftinterfaceLoopback0descriptionDianxinNetipaddress1.1.1.1255.255.255.0interfaceSerial2/0descriptionToHangZhouQianJiangKeJiDaShaipaddress13.13.13.1255.255.255.0noshutdowninterfaceSerial2/3descriptionToWangTongNetipaddress100.1.1.1255.255.255.252noshutdowniproute2.2.2.0255.255.255.0100.1.1.2iproute23.23.23.0255.255.255.0100.1.1.2R2ISP2:enableconftinterfaceLoopback0descriptionWangTongNetipaddress2.2.2.2255.255.255.0interfaceSerial2/1descriptionToHangZhouQianJiangKeJiDaShaipaddress23.23.23.2255.255.255.0noshutdowninterfaceSerial2/3descriptionToDianXinNetipaddress100.1.1.2255.255.255.252noshutdowniproute1.1.1.0255.255.255.0100.1.1.1iproute13.13.13.0255.255.255.0100.1.1.1R4HOST:enableconftnoiproutingipdefault-gateway192.168.1.1interfacef0/0ipaddress192.168.1.4255.255.255.0noshutdownR5HOST:enableconftnoiproutingipdefault-gateway172.16.1.1interfacef1/0ipaddress172.16.1.5255.255.255.0noshutdownR3GW:enableconftinterfaceSerial2/0descriptionToDianXinISPipaddress13.13.13.3255.255.255.0ipnatoutsidenoshutdowninterfaceSerial2/1descriptionToWangTongISPipaddress23.23.23.3255.255.255.0ipnatoutsidenoshutdowninterfaceFastEthernet0/0ipaddress192.168.1.1255.255.255.0ipnatinsidenoshutdownippolicyroute-mapciscointerfaceFastEthernet1/0ipaddress172.16.1.1255.255.255.0ipnatinsidenoshutdownippolicyroute-mapciscoipslamonitor13typeechoprotocolipIcmpEcho13.13.13.1source-ipaddr13.13.13.3timeout3000frequency5ipslamonitor23typeechoprotocolipIcmpEcho23.23.23.2source-ipaddr23.23.23.3timeout3000frequency5#定义下一跳监控，目的、源、监控超时时长、探测包发送周期、ipslamonitorschedule13lifeforeverstart-timenowipslamonitorschedule23lifeforeverstart-timenow#启动监控计划，永远存活、启动时间从现在开始track1rtr13reachabilitytrack2rtr23reachability#定义跟踪，跟踪下一跳可达时，下面的某些设置可以有效（UP）存在，否则无效（Down）或者功能暂时消失iproute0.0.0.00.0.0.013.13.13.1track1iproute0.0.0.00.0.0.023.23.23.2track2#两条默认路由，下一跳可达时路由加表，不可达时删除该条目。access-list100permitipanyanyaccess-list192permitip192.168.1.00.0.0.255anyaccess-list172permitip172.16.1.00.0.0.255anyroute-mapciscopermit10matchipaddress192setipnext-hopverify-availability13.13.13.110track1setipnext-hopverify-availability23.23.23.220track2route-mapciscopermit20matchipaddress172setipnext-hopverify-availability23.23.23.230track2setipnext-hopverify-availability13.13.13.140track1#定义策略路由，满足地址列表192或者172时，为满足的地址设置下一跳，并跟踪下一跳可达，不可达时启用下一条目。10、20与30、40的意思是，数值小的优先成为下一跳，数值大的为备份，也可以使用setipdefaultnext-hopx.x.x.xroute-mapnat192permit10matchipaddress100matchinterfaceSerial2/0route-mapnat172permit10matchipaddress100matchinterfaceSerial2/1ipnatinsidesourceroute-mapnat192interfaceSerial2/0overloadipnatinsidesourceroute-mapnat172interfaceSerial2/1overload#定义route-map，满足地址段以及出口的为其转换成相应的出口地址#定义PAT（当接口网络类型不同时，match的方式也不同，串行链路中PPP以及HDLC只能matchinterface，FR与以太网可以matchinterface和matchipnext-hop，当然只是测试的情况下。所以matchinterface屡试不爽，而且接口down状态下route-map可以自行侦测，即match失效）测试环节:(如果选择长ping的话，注意缓存神马的)R4HOST#traceroute1.1.1.1Typeescapesequencetoabort.Tracingtherouteto1.1.1.11192.168.1.1100msec24msec28msec213.13.13.160msec*64msecR4HOST#traceroute2.2.2.2Typeescapesequencetoabort.Tracingtherouteto2.2.2.21192.168.1.152msec20msec20msec213.13.13.156msec60msec20msec3100.1.1.2112msec*72msecR5HOST#traceroute1.1.1.1Typeescapesequencetoabort.Tracingtherouteto1.1.1.11172.16.1.11072msec32msec24msec223.23.23.2104msec84msec64msec3100.1.1.164msec*168msecR5HOST#traceroute2.2.2.2Typeescapesequencetoabort.Tracingtherouteto2.2.2.21172.16.1.140msec44msec40msec223.23.23.276msec*92msec链路联通性佳时，走定义的默认路径。然后我们把ISP1端的链路更改一下封装类型，这样即使三层down了，二层是依然up，当然物理down了，更不用说了，三层必然down。R1ISP1(config)#interfaces2/0R1ISP1(config-if)#encapsulationppp再测：R4HOST#traceroute1.1.1.1Typeescapesequencetoabort.Tracingtherouteto1.1.1.11192.168.1.164msec28msec20msec223.23.23.284msec72msec48msec3100.1.1.176msec*96msecR4HOST#traceroute2.2.2.2Typeescapesequencetoabort.Tracingtherouteto2.2.2.21192.168.1.144msec24msec24msec223.23.23.288msec*104msec已经切换成以ISP2为出口了，并且相应条目也删除或者down了。把ISP1改回来，再修改ISP2端的链路尝试：R2ISP2(config)#interfaces2/1R2ISP2(config-if)#encapsulationpppR5HOST#traceroute1.1.1.1Typeescapesequencetoabort.Tracingtherouteto1.1.1.11172.16.1.164msec40msec24msec213.13.13.152msec*96msecR5HOST#traceroute2.2.2.2Typeescapesequencetoabort.Tracingtherouteto2.2.2.21172.16.1.152msec40msec24msec213.13.13.196msec48msec24msec3100.1.1.252msec*100msec原本默认走ISP2的，现在走ISP1了。！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！！Part2：基于数据流的route-mapNAT于方便测试，使用telnet和icmp数据，并依据这两种数据分流与备份，telnet默认走ISP1，ICMP默认走ISP2。R3清除掉access-list，route-mapenableconftnoroute-mapciscoipaccess-listextendedtelnetpermittcpanyanyeqtelnetpermittcpanyeqtelnetanyipaccess-listextendedicmppermiticmpanyanyroute-mapciscopermit10matchipaddresstelnetsetipnext-hopverify-availability13.13.13.110track1setipnext-hopverify-availability23.23.23.220track2route-mapciscopermit20matchipaddressicmpsetipnext-hopverify-availability23.23.23.230track2setipnext-hopverify-availability13.13.13.140track1#定义满足列表中telnet协议的