1、创建端口聚合,为保证端口冗余。使用LACP。并将相关端口划入聚合组内。规划agg1为LAN(连接客户),agg2为WAN(连接多个带宽)。
config
interface aggregate1
lacp enable
interface aggregate2
lacp enable
interface xethernet4/0
aggregate aggregate1
interface xethernet4/1
aggregate aggregate1
interface xethernet4/2
aggregate aggregate2
interface xethernet4/3
aggregate aggregate2
2、创建管理端口,并将管理端口加入trusst zone 允许ping http telnet ssh snmp,为保险,创建两个管理口,做为互备使用。
interface aggregate1.100
zone "trust"
ip address 103.246.132.64 255.255.255.0
manage ping
manage http
manage https
manage telnet
manage ssh
manage snmp
interface aggregate2.120
zone "trust"
ip address 124.113.229.158 255.255.255.252
manage ping
manage http
manage https
manage telnet
manage ssh
manage snmp
no reverse-route 关闭逆向路由,数据过来后不会查本地路由表,直接从2.120返回
逆向路由可以理解成设备回包的时候将访问过来的源ip当做目的地址然后查找设备上的路由表决定从哪个接口回包。
关闭逆向路由的意思就是通常理解的数据从哪个接口过来的,回包的时候就从哪个接口回包,没有反向路由查询的过程。
3、创建到客户和互资源的子接口、互联IP。
interface aggregate1.110
zone "trust"
ip address 10.10.110.2 255.255.255.252
description "jsyd"
manage ping
manage telnet
agg 1.110 是到客户的互联,加入到 trust zone
interface aggregate2.121
zone "untrust"
ip address 10.10.121.1 255.255.255.252
description "ahdx1"
manage telnet
manage ping
reverse-route prefer
exit
interface aggregate2.122
zone "untrust"
ip address 10.10.122.1 255.255.255.252
description "ahdx2"
manage ping
exit
interface aggregate2.123
zone "untrust"
ip address 10.10.123.1 255.255.255.252
description "wzdx1"
manage ping
manage telnet
exit
interface aggregate2.124
zone "untrust"
ip address 10.10.124.1 255.255.255.252
description "shjh-1"
manage ping
agg 2.121 2.122 2.123 2.124是分别到不同的出口的互联。加入到 utrust zone。
4、创建客户的地址段表和各带宽NAT地址表。
address jsyd
ip 1.51.32.0/20
ip 1.51.48.0/21
ip 21.228.228.0/22
ip 43.254.84.0/22
ip 58.68.228.16/29
客户的地址段
address ahdx1
ip 124.113.229.104/30
address ahdx2
ip 124.113.229.152/30
address wzdx1
ip 122.228.229.120/30
address shjh2
ip 117.21.164.128/30
各资源用来做NAT的地址段。
5、创建安全规则,确保trust 可以访问 utrust
rule 1
action permit
src-zone trust
dst-zone untrust
src-addr jsyd
dst-addr Any
service Any
name 1
允许 trust zone访问utrust zone
rule 2
action permit
src-zone untrust
dst-zone trust
src-addr Any
dst-addr Any
service Any
name 2
允许 utrust 访问trust zone。
6、添加客户的回程路由。
ip vrouter trust-vr
ip route 1.51.32.0/20 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 1.51.48.0/21 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 21.228.228.0/22 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 43.254.84.0/22 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 58.68.228.16/29 aggregate1.110 10.10.110.1 description jsyd-1104
7、创建到不同出口的默认路由,由于设备是先匹配NAT规则后再进行路由,所以可以同时将所有出口都加成默认路由。
ip vrouter trust-vr
ip route 0.0.0.0/0 aggregate2.120 124.113.229.157
ip route 0.0.0.0/0 aggregate2.121 10.10.121.2 description ahyd1-1G
ip route 0.0.0.0/0 aggregate2.122 10.10.122.2 description ahyd2-1G
ip route 0.0.0.0/0 aggregate2.123 10.10.123.2 description wzdx-2G
ip route 0.0.0.0/0 aggregate2.124 10.10.124.2 description shjh2-1G
ip route 0.0.0.0/0 aggregate2.125 10.10.125.2 description shjh3-0.75G
8、创建NAT规则。
ip vrouter trust-vr
snatrule id 1 from jsyd to any eif aggregate2.121 trans-to address-book ahdx1 mode dynamicport sticky log
snatrule id 2 from jsyd to any eif aggregate2.122 trans-to address-book ahdx2 mode dynamicport sticky log
snatrule id 3 from jsyd to any eif aggregate2.123 trans-to address-book wzdx1 mode dynamicport sticky log
snatrule id 4 from jsyd to any eif aggregate2.124 trans-to address-book shjh2 mode dynamicport sticky log
使用多个出口做NAT时,默认情况数据包会逐个出口轮循,如果 使用dynamicport sticky 会出现各个出口流量不均的情况,因为sticky会将同一个会话保持到一个IP地址上。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
