华为双线NAT

network · 发表于 2008-4-15 09:02:32

可以做到部分的负责分担，通过策略路由和双NAT实现
参考一下：

ROUTER>EN
ROUTER#CONFIG T

Router(Config)>int fa 0/0
Router(Config-if)>ip addr 局域网地址 255.255.255.0
Router(Config-if)>ip nat inside
Router(Config-if)>ip policy route-map dual_isp

Router(Config-if)>int fa 0/1
Router(Config-if)>ip addr 电信分配的地址
Router(Config-if)>no shut
Router(Config-if)>ip nat outside

Router(Config-if)>int fa 1/0
Router(Config-if)>ip addr 网通分配的地址
Router(Config-if)>no shut
Router(Config-if)>ip nat outside

Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.102.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.11.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.21.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.24.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.26.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.27.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.28.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.56.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.60.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.62.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.67.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.68.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.7.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.141.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.142.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.154.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.156.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.158.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.159.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.102.224.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.106.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.107.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.108.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.110.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.110.192.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.111.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.96.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.96.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.97.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.98.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.99.0.0 255.255.255.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.0.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.10.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.192.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.12.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.12.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.192.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.196.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.32.0 255.255.240.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.192.0 255.255.240.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.200.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.204.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.207.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.208.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.4.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.6.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.8.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.128.0.0 255.240.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.160.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.163.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.0.0.0 255.248.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.8.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.12.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.13.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.13.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.16.0.0 255.240.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.208.0.0 255.248.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.220.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.133.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.134.96.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.134.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.135.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.136.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.138.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.138.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.139.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.148.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.149.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.156.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.158.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.159.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.161.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.161.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.162.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.163.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.167.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.168.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.176.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.179.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.180.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.181.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.182.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.189.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.48.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.52.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.54.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.55.0.0 255.255.0.0

Router(Config)>Access-list 102 permit Ip any any
Router(Config)>Ip Nat Inside Source Route-map CT_NAT int fa 0/1 overload
Router(Config)>Ip Nat Inside Source Route-map CNC_NAT int fa 1/0 overload

Router(Config)>Route-map CT_NAT Permit 10
Router(Config-route-map)>Match Int Fa 0/1

Router(Config)>Route-map CNC_NAT Permit 10
Router(Config-route-map)>Match Int fa1/0

Router(Config)>Route-map dual_isp Permit 10
Router(Config-route-map)>Match Ip address 101
Router(Config-route-map)>set ip next-hop 网通网关

Router(Config)>Route-map dual_isp Permit 20
Router(Config-route-map)>Match Ip address 102
Router(Config-route-map)>set ip next-hop 电信网关

Router(Config)>Ip Route 0.0.0.0 0.0.0.0 电信网关
Router(Config)>Ip Route 0.0.0.0 0.0.0.0 网通网关

此策略路由和策略nat说明：目的地址为网通地址的包全部发给网通网关，其他一律发给电信，由于网通地址段较少，所以选择了做网通的acl条目，减轻工作量，

说明：策略nat部分也可以用match acl的方式，但是发现实际速度很慢，不知道原因，可能是需要逐条匹配吧
但是最好用match interface的方式，因为只有这样才能实现备份，如果接口down掉，就不会在match接口，但是如果用acl，则会因为永远match而pat成已经down掉接口的地址，但是路由会从另一接口走掉，同样很慢了就。地址段在今后逐渐补全。trace分析表明：基本上包都走对路了。而且速度比原来单接口时访问其他isp网明显加快了。

evilrose2008 · 发表于 2008-12-26 05:12:09

我本仁慈，却屠戮苍生传世SF
我本痴心，却钓美无数新开传世
我本愚蠢，却玩转天下二手激光打印机
我本道德，却与恶起舞生料酒曲
我本卑微，却君临天下！

账号		自动登录	找回密码
密码			注册

华为双线NAT

看贴不回贴，不是好市民