Tuesday, December 3, 2019

双出口NAT 


+------+     +------+
| ISPA |     | ISPB |
+-----++     +-+----+
      |        |
     ++--------++
     |  2960    |
     +----+-----+
          |
      +---+---+
      | 4451  |
      +---+---+
          |
          |
       +--+---+
       | 3925 |
       +------+



track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map Lan
load-interval 30
negotiation auto
!
ip nat inside source route-map nat interface GigabitEthernet0/0/0.10 overload
ip nat inside source route-map nat2 interface GigabitEthernet0/0/0.20 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.1 10 track 1
ip route 0.0.0.0 0.0.0.0 10.1.2.1 20 track 2
!
ip access-list extended nat           //please use acl like this, permit icmp XXX, permit TCP XXX, permit udp XXXX
permit icmp 192.168.1.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
ip access-list extended test
permit icmp 192.168.1.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
ip sla 1
icmp-echo 10.1.1.1 source-interface GigabitEthernet0/0/0.10
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.1.2.1 source-interface GigabitEthernet0/0/0.20
frequency 5
ip sla schedule 2 life forever start-time now
!
route-map Lan permit 10
match ip address test
set ip next-hop verify-availability 10.1.1.1 10 track 1
set ip next-hop verify-availability 10.1.2.1 20 track 2
!
route-map nat2 permit 10
match ip address nat
match interface GigabitEthernet0/0/0.20
!
route-map nat permit 10
match ip address nat
match interface GigabitEthernet0/0/0.10
!

--------------------------------------------
Test:
1. Test the ISP A failed:
1.  Check router interface:
Router#show ip int b
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   unassigned      YES NVRAM  up                    up
Gi0/0/0.10             unassigned      YES DHCP   up                    up      <<<<<<<<<<<<< ISP A, due to ISP issue, not receive the dhcp address.
Gi0/0/0.20             10.1.2.4        YES DHCP   up                    up      <<<<<<<<<<<<< ISP B
GigabitEthernet0/0/1   192.168.1.1     YES NVRAM  up                    up
  1.  Simulator the PC access network
C10-RU09-3925#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  1.  Check nat translation:
Router#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
icmp 10.1.2.4:55           192.168.1.10:55       8.8.8.8:55            8.8.8.8:55
tcp  10.1.2.4:5064         192.168.1.10:33231    10.124.41.40:49       10.124.41.40:49
udp  10.1.2.4:512          192.168.1.10:123      10.64.58.51:123       10.64.58.51:123
icmp 10.1.2.4:53           192.168.1.10:53       192.168.1.1:53        192.168.1.1:53
tcp  10.1.2.4:5063         192.168.1.10:26148    10.124.41.40:49       10.124.41.40:49
  1.  Check route-map :
route-map Lan, permit, sequence 10
  Match clauses:
    ip address (access-lists): test
  Set clauses:
    ip next-hop verify-availability 10.1.1.1 10 track 1  [down] <<<<<<<<<<<<<ISPA track down, the isp failed.
    ip next-hop verify-availability 10.1.2.1 20 track 2  [up]
  Policy routing matches: 29 packets, 2698 bytes           <<<<<<<<<<<<<this counter will increase
route-map nat2, permit, sequence 10
  Match clauses:
    ip address (access-lists): nat
    interface GigabitEthernet0/0/0.20
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map nat, permit, sequence 10
  Match clauses:
    ip address (access-lists): nat
    interface GigabitEthernet0/0/0.10
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
Resume the ISP A:
  1.  Found the interface connected to ISP A interface received an ip address log:
*Sep 23 12:33:33.727: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0/0.10 assigned DHCP address 10.1.1.4, mask 255.255.255.0, hostname Router
2. DHCP status:
Router# show dhcp lease
Temp IP addr: 10.1.2.4  for peer on Interface: GigabitEthernet0/0/0.20
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 10.1.2.1, state: 5 Bound
   DHCP transaction id: 1BDC
   Lease: 86400 secs,  Renewal: 43200 secs,  Rebind: 75600 secs
   Next timer fires after: 11:57:32
   Retry count: 0   Client-ID: cisco-00fe.c8cd.9ef0-Gi0/0/0.20
   Client-ID hex dump: 636973636F2D303066652E633863642E
                       396566302D4769302F302F302E3230
   Hostname: Router
Temp IP addr: 10.1.1.4  for peer on Interface: GigabitEthernet0/0/0.10
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 10.1.1.1, state: 5 Bound
   DHCP transaction id: 1BE0
   Lease: 86400 secs,  Renewal: 43200 secs,  Rebind: 75600 secs
Temp default-gateway addr: 10.3.3.1
   Next timer fires after: 11:59:56
   Retry count: 0   Client-ID: cisco-00fe.c8cd.9ef0-Gi0/0/0.10
   Client-ID hex dump: 636973636F2D303066652E633863642E
                       396566302D4769302F302F302E3130
   Hostname: Router
  1.  Default route changed from 10.1.2.1 to 10.1.1.1            //the default router change need the sla status and track status changed, the track status need up.
Router#show ip route
<snip>
Gateway of last resort is 10.1.2.1 to network 0.0.0.0
S*    0.0.0.0/0 [20/0] via 10.1.2.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
Router#show ip route
<snip>
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
S*    0.0.0.0/0 [10/0] via 10.1.1.1
Log: *Sep 23 12:33:46.780: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
  1.  Check NAT translation:
a)   Router#clear ip nat translation * // clear ip nat record
b)   Use client access the network:
C10-RU09-3925#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
c)   Check nat record on router:
Router#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
tcp  10.1.1.4:5062         192.168.1.10:42040    10.124.41.40:49       10.124.41.40:49
icmp 10.1.1.4:58           192.168.1.10:58       8.8.8.8:58            8.8.8.8:58
Total number of translations: 2
d)   Route-map counter:
Router#show route-map
route-map Lan, permit, sequence 10
  Match clauses:
    ip address (access-lists): test
  Set clauses:
    ip next-hop verify-availability 10.1.1.1 10 track 1  [up]          //the track 1 & track 2 is up, but the ISP A is high priority internet output
   ip next-hop verify-availability 10.1.2.1 20 track 2  [up]
  Policy routing matches: 44 packets, 4160 bytes           //counter increase
route-map nat2, permit, sequence 10
  Match clauses:
    ip address (access-lists): nat
    interface GigabitEthernet0/0/0.20
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map nat, permit, sequence 10
  Match clauses:
    ip address (access-lists): nat
    interface GigabitEthernet0/0/0.10
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
Update: please use like this access:
ip access-list extended test
deny   icmp 192.168.1.0 0.0.0.255 host 192.168.1.1        //deny the source access to the router connection address , if not, you cannot ping the router connection address, like ping 192.168.1.1 so 192.168.1.10, If not deny, the source will math the below list and it will send to nat process, but this is access to the router link address, it will be drop.
permit icmp 192.168.1.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)