CISCO路由器多ISP接入配置

ssffzz1

看到网上很多CISCO的多ISP策略路由都是基于源IP的，严格的说这可以叫做是多ISP分流。这显然不能满足我们的要求。现在很多的客户都实现了多ISP接入（具有中国特色的社会主义网络吗）实现策略路由，看到市面上能够有具体的实施方法无非是LINUX，routeros，硬件的多WAN口路由器等，还没有关于CISCO产品如何实现的方法。其实CISCO早在N年前的产品中就已经有了，也许是没有人考虑，也许是大牛们不屑于考虑吧！那就让我考虑一下吧：：：


下面是我的具体的配置：

2、        各路由器的主要配置：
1）        wangtong:
Current configuration : 939 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wangtong
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!         
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 172.16.0.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface FastEthernet2/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!         
!
end

wangtong#

2）        dianxian:
Current configuration : 938 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dianxin
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!         
!
interface Serial0/0
ip address 10.0.1.1 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!         
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 172.17.0.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface FastEthernet2/0
ip address 172.17.1.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!         
!
end


3）        liantong:
Current configuration : 939 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname liantong
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!         
!
interface Serial0/0
ip address 10.0.2.1 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!         
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 172.18.0.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface FastEthernet2/0
ip address 172.18.1.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!         
!
end

4）        tietong:
Current configuration : 938 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tietong
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!         
!
interface Serial0/0
ip address 10.0.3.1 255.255.255.252
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!         
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 172.19.0.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface FastEthernet2/0
ip address 172.19.1.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!         
!
end


5）        jiaoyu
Current configuration : 630 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname jiaoyu
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!         
!
interface FastEthernet0/0
ip address 10.0.4.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 100.100.100.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

6）        PR

Current configuration : 2715 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PR
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!         
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial0/1
ip address 10.0.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial0/2
ip address 10.0.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial0/3
ip address 10.0.3.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface FastEthernet1/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map pr
duplex auto
speed auto
!         
interface FastEthernet2/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map pr
duplex auto
speed auto
!
interface FastEthernet3/0
ip address 10.0.4.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
!
ip nat inside source list 101 interface Serial0/0 overload
ip nat inside source list 102 interface Serial0/1 overload
ip nat inside source list 103 interface Serial0/2 overload
ip nat inside source list 104 interface Serial0/3 overload
ip nat inside source route-map jiaoyu interface FastEthernet3/0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any 172.16.1.0 0.0.0.255
access-list 101 permit ip any 172.16.0.0 0.0.0.255
access-list 101 permit ip any 10.0.0.0 0.0.0.3
access-list 102 permit ip any 172.17.0.0 0.0.0.255
access-list 102 permit ip any 172.17.1.0 0.0.0.255
access-list 102 permit ip any 10.0.1.0 0.0.0.3
access-list 103 permit ip any 172.18.1.0 0.0.0.255
access-list 103 permit ip any 172.18.0.0 0.0.0.255
access-list 103 permit ip any 10.0.2.0 0.0.0.3
access-list 104 permit ip any 172.19.0.0 0.0.0.255
access-list 104 permit ip any 172.19.1.0 0.0.0.255
access-list 104 permit ip any 10.0.3.0 0.0.0.3
!
route-map jiaoyu permit 10
match interface FastEthernet3/0  #此行可以省略
!
route-map pr permit 10
match ip address 101
set interface Serial0/0
!
route-map pr permit 20
match ip address 102
set interface Serial0/1
!
route-map pr permit 30
match ip address 103
set interface Serial0/2
!
route-map pr permit 40
match ip address 104
set interface Serial0/3
!
route-map pr permit 50
set ip next-hop 10.0.4.1
!
control-plane
!         
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

kevin.tan

ssffzz1兄是在模拟器上操练的还是实际环境中？:wink: 好羡慕有这样的实际环境

ssffzz1

我也，没有这样的环境，我也很羡慕。
不过我用了整个计算机室来虚拟的环境。

5iwww

LZ是根据源ip的子网不同 nat 到不同的出口 如果线路断了，可以实现自动nat到其他出口吗？

ssffzz1

原帖由 5iwww 于 2007-7-24 15:48 发表
LZ是根据源ip的子网不同 nat 到不同的出口 如果线路断了，可以实现自动nat到其他出口吗？

不是根据源IP。是根据目的IP做的。当然还有一个更简单的方法，就是直接加到主路由表中。
这个目前应该不能实现断线的备份。

5iwww

原帖由 ssffzz1 于 2007-7-24 18:41 发表

不是根据源IP。是根据目的IP做的。当然还有一个更简单的方法，就是直接加到主路由表中。
这个目前应该不能实现断线的备份。

根据目的做的？ 实际应用中，如果不是bgp的话，该如何匹配所有的目标路由条目呢？还是仅仅是实验？

ssffzz1

原帖由 5iwww 于 2007-7-26 10:32 发表



根据目的做的？ 实际应用中，如果不是bgp的话，该如何匹配所有的目标路由条目呢？还是仅仅是实验？

呵呵，前提是你必须有各个ISP的IP地址块的表格，否则这个不行的。

ssffzz1

一种更为简单有效，并且具有冗余的配置
PR#show running-config
Building configuration...

Current configuration : 2700 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial0/1
ip address 10.0.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial0/2
ip address 10.0.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial0/3
ip address 10.0.3.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface FastEthernet1/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map pr
duplex auto
speed auto
!         
interface FastEthernet2/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map pr
duplex auto
speed auto
!
interface FastEthernet3/0
ip address 10.0.4.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 0.0.0.0 0.0.0.0 10.0.2.1
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 0.0.0.0 0.0.0.0 10.0.3.1
ip route 0.0.0.0 0.0.0.0 10.0.4.1
ip route 100.100.100.0 255.255.255.0 10.0.4.1
ip route 172.16.0.0 255.255.255.0 10.0.0.1
ip route 172.16.1.0 255.255.255.0 10.0.0.1
ip route 172.17.0.0 255.255.255.0 10.0.1.1
ip route 172.17.1.0 255.255.255.0 10.0.1.1
ip route 172.18.0.0 255.255.255.0 10.0.2.1
ip route 172.18.1.0 255.255.255.0 10.0.2.1
ip route 172.19.0.0 255.255.255.0 10.0.3.1
ip route 172.19.1.0 255.255.255.0 10.0.3.1
!
!
ip nat inside source route-map dianxin interface Serial0/1 overload
ip nat inside source route-map jiaoyu interface FastEthernet3/0 overload
ip nat inside source route-map liantong interface Serial0/2 overload
ip nat inside source route-map tietong interface Serial0/3 overload
ip nat inside source route-map wangtong interface Serial0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
route-map jiaoyu permit 10
match ip address 1
match interface FastEthernet3/0
!
route-map wangtong permit 10
match ip address 1
match interface Serial0/0
!
route-map liantong permit 10
match ip address 1
match interface Serial0/2
!
route-map tietong permit 10
match ip address 1
match interface Serial0/3
!
route-map dianxin permit 10
match ip address 1
match interface Serial0/1
!
!
!
control-plane
!
!
!
!
!
!         
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

PR#

cnadl

提几个建议：

模拟ISP不用搞那么多，两个足矣；

贴配置前，最好说说原理；

性能也应该是考虑因素之一；

多ISP的实现远比您这配置复杂，即使不考虑各ISP的互联互通也是，建议您从来去双方向考虑，再加上DNS；

最后我完全搞不明白，就是一个根据目的地址决定包怎么走的东西，有必要搞出路由图来么，简单才是美。

ssffzz1

原帖由 cnadl 于 2007-7-30 00:09 发表
提几个建议：

模拟ISP不用搞那么多，两个足矣；

贴配置前，最好说说原理；

性能也应该是考虑因素之一；

多ISP的实现远比您这配置复杂，即使不考虑各ISP的互联互通也是，建议您从来去双方向考虑，再 ...

首先谢谢指教。感觉说的有一定道理。
1、的确模拟ISP搞2个就够了。
2、也想过说说原理，可以对于不懂路由器的来说，说了也白说。对于懂的来说这个配置根本不需要解释甚至连图都不需要。
3、LS的对于性能该有什么更高的提高方法吗？
4、多ISP当然比这个复杂。但是这个仅仅是内网访问外网的PNAT配置，因为没有运行BGP等AS间协议。也基本不需要考虑双向的数据流问题。因为没有对外发布服务，DNS也是不需要考虑的问题。
5、至于路由图的问题，你可以不用。路由图说白了也就是一个能够匹配综合的复杂一些规则的访问控制列表，但它和访问控制列表最大的不同就是它可以更改某些匹配的条目的一些特性。