策略路由
策略路由,是一种比基于目标网络进行路由更加灵活的数据包路由转发机制。路由器将通过路由图决定如何对需要路由的数据包进行处理,路由图决定了一个数据包的下一跳转发路由器。
Cisco 双出口策略实现的步骤:
ROUTER>EN
ROUTER#CONFIG T
Router(Config)>int fa 0/0
Router(Config-if)>ip addr 192.168.0.1 255.255.255.0
Router(Config-if)>ip nat inside
Router(Config-if)>ip policy route-map dual_isp
Router(Config-if)>int fa 0/1
Router(Config-if)>ip addr 电信分配的地址
Router(Config-if)>no shut
Router(Config-if)>ip nat outside
Router(Config-if)>int fa 1/0
Router(Config-if)>ip addr 网通分配的地址
Router(Config-if)>no shut
Router(Config-if)>ip nat outside
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.102.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.11.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.21.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.24.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.26.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.27.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.28.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.56.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.60.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.62.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.67.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.68.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.7.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.141.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.142.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.154.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.156.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.158.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.159.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.102.224.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.106.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.107.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.108.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.110.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.110.192.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.111.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.96.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.96.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.97.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.98.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.99.0.0 255.255.255.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.0.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.10.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.192.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.12.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.12.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.192.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.196.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.32.0 255.255.240.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.192.0 255.255.240.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.200.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.204.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.207.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.208.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.4.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.6.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.8.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.128.0.0 255.240.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.160.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.163.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.0.0.0 255.248.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.8.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.10.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.12.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.13.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.13.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.16.0.0 255.240.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.208.0.0 255.248.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.220.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.133.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.134.96.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.134.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.135.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.136.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.138.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.138.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.139.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.148.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.149.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.156.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.158.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.159.0.0 255.255.192.0
Router(Config)>Access-list 102 permit Ip any any
Router(Config)>Ip Nat Inside Source Route-map CT_NAT int fa 0/1 overload
Router(Config)>Ip Nat Inside Source Route-map CNC_NAT int fa 1/0 overload
Router(Config)>Route-map CT_NAT Permit 10
Router(Config-route-map)>Match Int Fa 0/1 (这里不会匹配外面发给它的包,因为DNAT优先于路由选择)
Router(Config)>Route-map CNC_NAT Permit 10
Router(Config-route-map)>Match Int fa1/0 (指这个接口所收到的所有包除了DNAT匹配的,会先进行目标转换,这样目标并不会是FA1/0,而是内部的一个IP,这里其实可以写next-hop 便于理解,也便于检测对方的存在)
Router(Config)>Route-map dual_isp Permit 10
Router(Config-route-map)>Match Ip address 101
Router(Config-route-map)>set ip next-hop 网通网关 电信网关(这里恰好把包发给了NAT所需要的接口,注意这里只是改变了包的下一跳而不是目标。还要注意这里并不是把包扔给了next-hop而是改变了 寻路方式,转发将在此之后进行寻路,之后便是源地址转换:路由器2大功能寻路,转发是分开的,由此可以看出,如果策略NAT里匹配的是对方ISP的地址为 下一跳,那可以检测对方的存在与否)
Router(Config)>Route-map dual_isp Permit 20
Router(Config-route-map)>Match Ip address 102
Router(Config-route-map)>set ip next-hop 电信网关 网通网关
Router(Config)>Ip Route 0.0.0.0 0.0.0.0 电信网关
Router(Config)>Ip Route 0.0.0.0 0.0.0.0 网通网关
(注意 PBR优先于路由,而源地址转换路由又优先于NAT,那PBR会比NAT先进行,所以首先因该是进行PBR把包分类,扔给2个出口,之后再做路由选择路由 是默认的没什么,之后就是NAT了,策略一看在2出口上收到的包分别进行自己的策略NAT,当回来的时候,2个出口上收到的包并不会进行源转换为什么?因 为DNAT优先于路由,SNAT比路由还慢,所以DNAT是最先进行的。还有match next hop 匹配多个下一跳是与的关系,也就是说要满足全部的match才会用动作,所以前面不能match多个nexthop,否则一定砸了,只能match一个 nexthop,当然set可以set多个。 )
此策略路由和策略nat说明:目的地址为网通地址的包全部发给网通网关,其他一律发给电信,由于网通地址段较少,所以选择了做网通的acl条目,减轻工作 量。
以上就是用Cisco路由器双出口策略实现的步骤与方法,策略nat部分也可以用match acl的方式,但是发现实际速度很慢,不知道原因,可能是需要逐条匹配吧。但是最好用match interface的方式,因为只有这样才能实现备份,如果接口down掉,就不会在match接口,但是如果用acl,则会因为永远match而pat 成已经down掉接口的地址,但是路由会从另一接口走掉,同样很慢了就。地址段在今后逐渐补全。trace分析表明:基本上包都走对路了。而且速度比原来 单接口时访问其他isp网明显加快了。谢谢阅读,希望能帮到大家,请继续关注脚本之家,我们会努力分享更多优秀的文章。
