Cisco2911双线接入 策略路由web服务器双线访问.docx
- 文档编号:13050849
- 上传时间:2023-06-10
- 格式:DOCX
- 页数:14
- 大小:17.36KB
Cisco2911双线接入 策略路由web服务器双线访问.docx
《Cisco2911双线接入 策略路由web服务器双线访问.docx》由会员分享,可在线阅读,更多相关《Cisco2911双线接入 策略路由web服务器双线访问.docx(14页珍藏版)》请在冰点文库上搜索。
Cisco2911双线接入策略路由web服务器双线访问
环境:
1.电信、联通都是10M光纤接入,固定IP:
电信:
121.x.x.x
联通:
58.x.x.x
2.域名在DNSPOD上做双线解析(电信为默认线路,);
3.内网有一台web服务器需要发布到公网;
4.现在一台Cisco2911K9路由器3个GBLAN口
5.内网只有一个网段192.168.0.0/24
实现结果:
1.内网用户能正常通过2个出口上网(负载或冗余)
2.外网用户访问web服务器:
一、联通用户访问走联通线路(收集了800多条联通的路由条目);
二、电信和其他任何运营商线路都走电信线路.
下面是配置:
version15.1
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameRouter
!
boot-start-marker
boot-end-marker
!
!
enablesecret5$1$KEex$6XEpUd1oJbZAXjD7LXJok1
!
noaaanew-model
clocktimezoneGMT80
!
noipv6cef
ipsource-route
ipcef
!
!
!
!
!
noipdomainlookup
multilinkbundle-nameauthenticated
!
!
cryptopkitokendefaultremovaltimeout0
!
!
licenseudipidCISCO2911/K9snFGLXXXXXXX
!
!
usernameXXXXXsecret5$1$rqjo$xx8MyKYj186xrUeD4CUZ2.
!
!
!
!
!
!
interfaceGigabitEthernet0/0
ipaddress192.168.0.X255.255.255.0
ipnatinside
ipvirtual-reassemblyin
duplexauto
speedauto
!
interfaceGigabitEthernet0/1
ipaddress121.x.x.x255.255.255.248
ipnatoutside
ipvirtual-reassemblyin
duplexauto
speedauto
!
interfaceGigabitEthernet0/2
ipaddress58.x.x.x255.255.255.248
ipnatoutside
ipvirtual-reassemblyin
duplexauto
speedauto
!
ipforward-protocolnd
!
noiphttpserver
noiphttpsecure-server
!
ipnattranslationtcp-timeout300
ipnattranslationudp-timeout30
ipnattranslationsyn-timeout30
ipnattranslationicmp-timeout30
ipnatpoolpool-telecom121.x.x.113121.x.x.117netmask255.255.255.248
ipnatpoolpool-unicom58.x.x.258.x.x.5netmask255.255.255.248
ipnatsourcestatictcp192.168.0.254801858.x.x.x8018extendable
ipnatsourcestatictcp192.168.0.2548018121.x.x.x8018extendable
ipnatinsidesourceroute-maptelecompoolpool-telecomoverload
ipnatinsidesourceroute-mapunicompoolpool-unicomoverload
ipnatinsidesourcestatictcp192.168.0.2472158.x.x.x21extendable
ipnatinsidesourcestatictcp192.168.0.2518058.x.x.x80extendable
ipnatinsidesourcestatictcp192.168.0.254202058.x.x.x2020extendable
ipnatinsidesourcestatictcp192.168.0.254801858.x.x.x8018extendable
ipnatinsidesourcestatictcp192.168.0.251801958.x.x.x8019extendable
ipnatinsidesourcestatictcp192.168.0.246808058.x.x.x8080extendable
ipnatinsidesourcestatictcp192.168.0.24721121.x.x.x21extendable
ipnatinsidesourcestatictcp192.168.0.25180121.x.x.x80extendable
ipnatinsidesourcestatictcp192.168.0.2542020121.x.x.x2020extendable
ipnatinsidesourcestatictcp192.168.0.2548018121.x.x.x8018extendable
ipnatinsidesourcestatictcp192.168.0.2518019121.x.x.x8019extendable
ipnatinsidesourcestatictcp192.168.0.2468080121.x.x.x8080extendable
iproute0.0.0.00.0.0.0121.x.x.118
iproute0.0.0.00.0.0.058.x.x.150
iproute1.24.0.0255.248.0.058.x.x.1
iproute1.56.0.0255.248.0.058.x.x.1
iproute1.188.0.0255.252.0.058.x.x.1
iproute14.204.0.0255.254.0.058.x.x.1
..................800多路由条目..............
!
access-list2001permitip192.168.0.00.0.0.255any
!
route-mapunicompermit10
matchipaddress2001
matchinterfaceGigabitEthernet0/2
setipnext-hop58.x.x.1
!
route-maptelecompermit10
matchipaddress2001
matchinterfaceGigabitEthernet0/1
setipnext-hop121.x.x.118
!
!
!
control-plane
!
!
linecon0
loggingsynchronous
loginlocal
lineaux0
linevty04
loggingsynchronous
loginlocal
transportinputall
!
schedulerallocate200001000
end
Router#
现在结果:
1.内网用户可以正常上网,通过电信、联通都可以出去
2.电信用户、联通用户通过自己运营商的DNS服务器来解析我的网站,正常访问
3.遇到的问题:
一、其它非电信、非联通的运营商可能会用到联通的DNS服务器来解析我的网站,从而就解析到我的联通ip,造成的结果是,用户从联通接口进来,出去时就走电信线路了,造成不能访问网站的情况。
该如何解决?
二、还有更坑爹的是:
有的用户是电信线路,用的是联通dns解析;有的是联通用户,用电信DNS解析。
这样解析出来的地址刚好是交叉的,也不能访问,(真遇到过这样的复杂的用户:
小区物业电信、联通宽带叠加,不知道搞了什么策略,联通线路有时出口解析时用到电信DNS解析的)
这又该如何解决?
纠结啊.....................
以上2个问题该如何解决,还忘各位高手鼎力相助,谢谢!
!
!
!
!
!
!
该问题已经解决!
详情请看12楼!
!
!
!
!
问题最终解决,下面是我的配置
web服务器添加双IP,双ip80端口分别映射到不同线路,然后用策略路由,指定双IP出去公网的数据到不同ip,即可!
下面是配置信息
Router#showrunn
Currentconfiguration:
42687bytes
!
!
Noconfigurationchangesincelastrestart
!
version15.1
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameRouter
!
boot-start-marker
boot-end-marker
!
!
enablesecret5$1$KEex$6XEpUd1oJbZAXjD7LXJok1
!
noaaanew-model
clocktimezoneGMT80
!
noipv6cef
ipsource-route
ipcef
!
!
!
!
!
noipdomainlookup
multilinkbundle-nameauthenticated
!
!
cryptopkitokendefaultremovaltimeout0
!
!
licenseudipidCISCO2911/K9snFGLXXXXXX
!
!
usernameXXXXsecret5$1$rqjo$xx8MyKYj186xrUeD4CUZ2.
!
!
!
!
!
!
interfaceGigabitEthernet0/0
ipaddress192.168.0.2255.255.255.0
ipnatinside
ipvirtual-reassemblyin
ippolicyroute-mapPBR-WWW --------------------------------------------------------------------------------------a1
duplexauto
speedauto
!
interfaceGigabitEthernet0/1
ipaddress121.x.x.116255.255.255.248
ipnatoutside
ipvirtual-reassemblyin
duplexauto
speedauto
!
interfaceGigabitEthernet0/2
ipaddress58.x.x.4255.255.255.248
ipnatoutside
ipvirtual-reassemblyin
duplexauto
speedauto
!
ipforward-protocolnd
!
noiphttpserver
noiphttpsecure-server
!
ipnattranslationtcp-timeout300
ipnattranslationudp-timeout30
ipnattranslationsyn-timeout30
ipnattranslationicmp-timeout30
ipnatpoolpool-telecom121.x.x.113121.x.x.117netmask255.255.255.248
ipnatpoolpool-unicom58.x.x.258.x.x.5netmask255.255.255.248 -----------------------------------------a2
ipnatinsidesourceroute-maptelecompoolpool-telecomoverload
ipnatinsidesourceroute-mapunicompoolpool-unicomoverload-------------------------------------------a3
ipnatinsidesourcestatictcp192.168.0.2508058.x.x.480extendable
ipnatinsidesourcestatictcp192.168.0.25180121.x.x.11680extendable------------------------------------------a4
iproute0.0.0.00.0.0.0121.x.x.118
iproute0.0.0.00.0.0.058.x.x.1 50--------------------------------------------------------------------------------------------a5
iproute1.24.0.0255.248.0.058.x.x.1
iproute1.56.0.0255.248.0.058.x.x.1
iproute1.188.0.0255.252.0.058.x.x.1
iproute14.204.0.0255.254.0.058.x.x.1
iproute27.8.0.0255.248.0.058.x.x.1
iproute27.36.0.0255.252.0.058.x.x.1
iproute27.40.0.0255.248.0.058.x.x.1
iproute27.54.192.0255.255.224.058.x.x.1
iproute27.98.224.0255.255.224.058.x.x.1
iproute27.106.128.0255.255.192.058.x.x.1
iproute27.112.8.0255.255.252.058.x.x.1
iproute27.112.12.0255.255.254.058.x.x.1
iproute27.115.0.0255.255.128.058.x.x.1
iproute27.131.220.0255.255.252.058.x.x.1
iproute27.192.0.0255.224.0.058.x.x.1
iproute36.32.0.0255.252.0.058.x.x.1
iproute36.248.0.0255.252.0.058.x.x.1
iproute42.48.0.0255.254.0.058.x.x.1
iproute42.51.0.0255.255.0.058.x.x.1
iproute42.62.0.0255.255.224.058.x.x.1
iproute42.62.32.0255.255.248.058.x.x.1
iproute42.63.0.0255.255.0.058.x.x.1
iproute42.84.0.0255.252.0.058.x.x.1
iproute42.157.0.0255.255.248.058.x.x.1
iproute42.157.8.0255.255.252.058.x.x.1
iproute42.224.0.0255.240.0.058.x.x.1
iproute58.16.0.0255.248.0.058.x.x.1
iproute58.24.0.0255.254.0.058.x.x.1
iproute58.68.128.0255.255.240.058.x.x.1
iproute58.68.144.0255.255.248.058.x.x.1
iproute58.68.179.0255.255.255.058.x.x.1
iproute58.68.180.0255.255.255.058.x.x.1
......................800[/url]多条联通网段--------------------------------------------------------------a6
iproute223.203.208.0255.255.240.058.x.x.1
iproute223.255.0.0255.255.128.058.x.x.1
!
ipaccess-listextendedCNC-250
permitiphost192.168.0.250any
ipaccess-listextendedTEL-251
permitiphost192.168.0.251any----------------------------------------------------------------------------a7
!
access-list2001permitip192.168.0.00.0.0.255any----------------------------------------------------a8
!
route-mapunicompermit10[/url]
matchipaddress2001
matchinterfaceGigabitEthernet0/2
setipnext-hop58.x.x.1
!
route-maptelecompermit10
matchipaddress2001
matchinterfaceGigabitEthernet0/1
setipnext-hop121.x.x.118-----------------------------------------------------------------------------------------------a9
!
route-mapPBR-WWWpermit10[/url]
matchipaddressTEL-251
matchinterfaceGigabitEthernet0/1
setipnext-hop121.x.x.118
!
route-mapPBR-WWWpermit20
matchipaddressCNC-250
matchinterfaceGigabitEthernet0/2
setipnext-hop58.x.x.1--------------------------------------------------------------------------------------------a10
!
!
!
control-plane
!
!
linecon0
loggingsynchronous
lineaux0
linevty04
loggingsynchronous
loginlocal
transportinputall
!
schedulerallocate200001000
end
[hr]
a1:
内网接口上应用策略路由,使从外网进来访问访问WEB的数据能从正确的线路无误的返回,避免用户进来的数据从不正确的端口返回,造成用户不能正常访问网站的情况
a2:
]建立电信、联通做NAT转换用的地址池
a3:
双线Nat做转换是用Route-map来匹配,overload不可少,这点详情请问度娘。
a4:
]此处的2个内网ip是web服务器的单网卡设置的双地址,使用电信联通用户访问不同IP,这样才能做路由策略,使不同ip的数据到不同的外外网接口,用户才能正常访问网站。
a5:
这里添加了2条默认静态路由,电信没有加Metric值,做为默认线路,联通的加了Metric50,做为备份用。
a6:
网上收集到的846条联通路由网段,使内网用户可以通过联通路上网,做到分流。
a7:
这个个ACL用于route-mapPBR-WWW来匹配使用,重定向这2个IP的数据流向。
a8:
此ACL指定允许做NAT转换的内网IP地址
a9:
用于NAT地址转换,指定可以在不同线路做nat转换
a10:
PBR-WWW这个route-map
指定192.168.0.250的数据从联通端口出去;
指定192.168.0.251的数据从电信端口出去;
也就可以使用户进来访问WEB服务器时,数据从哪个端口进来再从哪个端口出去,在也是个难点,如果你没有,为web服务器提供2个IP,也就很难实现这一功能,
希望能帮到有需要的道友!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
项目更详细说明看附件!
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Cisco2911双线接入 策略路由web服务器双线访问 Cisco2911 双线 接入 策略 路由 web 服务器 访问