URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 9276
[ Назад ]

Исходное сообщение
"2 канала и разделение траффика"
Отправлено asipin , 25-Ноя-05 16:49

Есть 2 канала, один спутник (дешевый), другой ethernet - быстрый. На том идругом канале по 1 внешнему адресу. Т.е будет нат. Как сделать так, чтоб траффик до определенного (1024) порта (смотреть по портам назначения) шел через канал 1, а остальной в том числе и пинги через порт 2. Сделал так, но ничего не заработало нормально....

interface Loopback0
ip address 192.168.50.254 255.255.255.0
ip flow ingress
ip route-cache policy
ip route-cache flow
!
interface Loopback1
ip address 192.168.51.254 255.255.255.0
ip flow ingress
ip route-cache policy
ip route-cache flow
!
interface GigabitEthernet0/0
description Satellite Moscow
ip address 10.250.134.2 255.255.255.0
ip flow ingress
ip nat outside
ip route-cache policy
ip route-cache flow
ip policy route-map MAP1
duplex auto
speed auto
!
interface GigabitEthernet0/1
description GW for SERVER
ip address 80.92.205.33 255.255.255.248
ip flow ingress
ip nat inside
ip route-cache policy
ip route-cache flow
ip policy route-map MAP1
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
ip address 192.168.1.254 255.255.255.0
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.2
description GW for LAN
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.3
description GW for CLASS
encapsulation dot1Q 3
ip address 192.168.3.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.4
description GW for CATALYST clients
encapsulation dot1Q 4
ip address 192.168.4.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.5
description GW for CATALYST clients
encapsulation dot1Q 5
ip address 192.168.5.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.6
description GW for CATALYST clients
encapsulation dot1Q 6
ip address 192.168.6.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.7
description GW for CATALYST clients
encapsulation dot1Q 7
ip address 192.168.7.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.8
description GW for CATALYST clients
encapsulation dot1Q 8
ip address 192.168.8.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.9
description GW for CATALYST clients
encapsulation dot1Q 9
ip address 192.168.9.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.10
description GW for CATALYST clients
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.11
description GW for CATALYST clients
encapsulation dot1Q 11
ip address 192.168.11.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.12
description GW for CATALYST clients
encapsulation dot1Q 12
ip address 192.168.12.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.13
description GW for CATALYST clients
encapsulation dot1Q 13
ip address 192.168.13.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.14
description GW for CATALYST clients
encapsulation dot1Q 14
ip address 192.168.14.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.15
description GW for CATALYST clients
encapsulation dot1Q 15
ip address 192.168.15.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.16
description GW for CATALYST clients
encapsulation dot1Q 16
ip address 192.168.16.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.17
description GW for CATALYST clients
encapsulation dot1Q 17
ip address 192.168.17.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.18
description GW for CATALYST clients
encapsulation dot1Q 18
ip address 192.168.18.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.19
description ISP2-RADIO
encapsulation dot1Q 19
ip address 213.170.116.70 255.255.255.252
ip policy route-map MAP2
ip nat outside
!
interface GigabitEthernet0/1.20
description GW for ADSL clients
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.21
description GW for ADSL clients
encapsulation dot1Q 21
ip address 192.168.21.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.22
description GW for ADSL clients
encapsulation dot1Q 22
ip address 192.168.22.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.23
description GW for ADSL clients
encapsulation dot1Q 23
ip address 192.168.23.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.24
description GW for ADSL clients
encapsulation dot1Q 24
ip address 192.168.24.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.25
description GW for ADSL clients
encapsulation dot1Q 25
ip address 192.168.25.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.26
description GW for ADSL clients
encapsulation dot1Q 26
ip address 192.168.26.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.27
description GW for ADSL clients
encapsulation dot1Q 27
ip address 192.168.27.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.28
description GW for ADSL clients
encapsulation dot1Q 28
ip address 192.168.28.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.29
description GW for ADSL clients
encapsulation dot1Q 29
ip address 192.168.29.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.30
description GW for ADSL clients
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.31
description GW for ADSL clients
encapsulation dot1Q 31
ip address 192.168.31.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.32
description GW for ADSL clients
encapsulation dot1Q 32
ip address 192.168.32.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.33
description GW for ADSL clients
encapsulation dot1Q 33
ip address 192.168.33.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.34
description GW for ADSL clients
encapsulation dot1Q 34
ip address 192.168.34.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface GigabitEthernet0/1.35
description GW for ADSL clients
encapsulation dot1Q 35
ip address 192.168.35.254 255.255.255.0
ip access-group 101 in
ip flow ingress
ip nat inside
!
interface Group-Async1
description ###DialUp###
ip unnumbered GigabitEthernet0/1.1
ip nat inside
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
async default routing
async mode interactive
peer default ip address pool DialUp
ppp authentication pap
group-range 1/0 1/15
!
ip local pool DialUp 192.168.1.1 192.168.1.20
ip classless
ip route 0.0.0.0 0.0.0.0 10.250.134.1
ip route 0.0.0.0 0.0.0.0 213.170.116.69
ip route 80.92.205.38 255.255.255.255 192.168.27.1
ip flow-export version 5 peer-as
ip flow-export destination 80.92.205.34 7223
no ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation timeout never
ip nat translation tcp-timeout never
ip nat translation udp-timeout never
ip nat translation finrst-timeout never
ip nat translation syn-timeout never
ip nat translation dns-timeout never
ip nat translation icmp-timeout never
ip nat pool ISP1-NatPool 80.92.205.35 80.92.205.37 netmask 255.255.255.248
ip nat pool ISP2-NatPool 213.170.116.70 213.170.116.70 netmask 255.255.255.252
ip nat inside source route-map ISP1-NAT pool ISP1-NatPool overload
ip nat inside source route-map ISP2-NAT pool ISP2-NatPool overload
!
!
access-list 103 deny ip 80.92.205.32 0.0.0.7 any
access-list 103 deny ip any 80.92.205.32 0.0.0.7
access-list 103 deny icmp any any
access-list 103 deny tcp any any gt 1024
access-list 103 deny udp any any gt 1024
access-list 103 permit tcp any any lt 1024
access-list 103 permit udp any any lt 1024
access-list 103 deny ip any any
access-list 104 deny ip 213.170.116.68 0.0.0.3 any
access-list 104 deny ip any 213.170.116.68 0.0.0.3
access-list 104 permit icmp any any
access-list 104 deny tcp any any lt 1024
access-list 104 deny udp any any lt 1024
access-list 104 permit tcp any any gt 1024
access-list 104 permit udp any any gt 1024
access-list 104 deny ip any any
access-list 2 permit 80.92.205.34
access-list 101 permit ip host 80.92.205.34 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip any host 80.92.205.34
access-list 101 permit ip any host 80.92.205.35
access-list 101 permit ip host 192.168.3.2 any
access-list 101 permit ip host 192.168.20.1 any
access-list 101 permit ip host 192.168.20.2 any
access-list 101 permit ip host 192.168.21.1 any
access-list 101 permit ip host 192.168.3.6 any
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip host 192.168.28.1 any
access-list 101 permit ip host 192.168.22.1 any
access-list 101 permit ip host 192.168.34.240 any
access-list 101 permit ip host 192.168.23.1 any
access-list 101 permit ip 192.168.23.0 0.0.0.255 any
access-list 101 permit ip 192.168.24.0 0.0.0.255 any
access-list 101 permit ip host 192.168.24.1 any
access-list 101 permit ip host 192.168.25.1 any
access-list 101 permit ip host 192.168.22.2 any
access-list 101 permit ip host 192.168.26.1 any
access-list 101 permit ip host 192.168.27.1 any
access-list 101 permit ip host 192.168.28.2 any
access-list 101 permit ip host 192.168.20.3 any
access-list 101 permit ip host 192.168.29.1 any
access-list 101 permit ip host 80.92.205.38 any
access-list 101 deny ip any any
access-list 102 permit ip any 80.92.205.32 0.0.0.7
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit ip any 192.168.2.0 0.0.0.255
access-list 102 permit ip any 192.168.3.0 0.0.0.255
access-list 102 permit ip any 192.168.4.0 0.0.0.255
access-list 102 permit ip any 192.168.5.0 0.0.0.255
access-list 102 permit ip any 192.168.6.0 0.0.0.255
access-list 102 permit ip any 192.168.7.0 0.0.0.255
access-list 102 permit ip any 192.168.8.0 0.0.0.255
access-list 102 permit ip any 192.168.9.0 0.0.0.255
access-list 102 permit ip any 192.168.10.0 0.0.0.255
access-list 102 permit ip any 192.168.11.0 0.0.0.255
access-list 102 permit ip any 192.168.12.0 0.0.0.255
access-list 102 permit ip any 192.168.13.0 0.0.0.255
access-list 102 permit ip any 192.168.14.0 0.0.0.255
access-list 102 permit ip any 192.168.15.0 0.0.0.255
access-list 102 permit ip any 192.168.16.0 0.0.0.255
access-list 102 permit ip any 192.168.17.0 0.0.0.255
access-list 102 permit ip any 192.168.18.0 0.0.0.255
access-list 102 permit ip any 192.168.19.0 0.0.0.255
access-list 102 permit ip any 192.168.20.0 0.0.0.255
access-list 102 permit ip any 192.168.21.0 0.0.0.255
access-list 102 permit ip any 192.168.22.0 0.0.0.255
access-list 102 permit ip any 192.168.23.0 0.0.0.255
access-list 102 permit ip any 192.168.24.0 0.0.0.255
access-list 102 permit ip any 192.168.25.0 0.0.0.255
access-list 102 permit ip any 192.168.26.0 0.0.0.255
access-list 102 permit ip any 192.168.27.0 0.0.0.255
access-list 102 permit ip any 192.168.28.0 0.0.0.255
access-list 102 permit ip any 192.168.29.0 0.0.0.255
access-list 102 permit ip any 192.168.30.0 0.0.0.255
access-list 102 permit ip any 192.168.31.0 0.0.0.255
access-list 102 permit ip any 192.168.32.0 0.0.0.255
access-list 102 permit ip any 192.168.33.0 0.0.0.255
access-list 102 permit ip any 192.168.34.0 0.0.0.255
access-list 102 permit ip any 192.168.35.0 0.0.0.255
access-list 102 permit ip any 192.168.36.0 0.0.0.255
snmp-server engineID local 00000009020000049AADEA60
snmp-server community public RO 2
snmp-server community rhjrjlbk RW 2
snmp-server location Lumer
snmp-server contact Admin
snmp-server chassis-id CISCO2821
snmp-server enable traps tty
!
route-map ISP1-NAT permit 20
match ip address 103
set interface Loopback0
!
route-map ISP2-NAT permit 20
match ip address 104
set interface Loopback1
!
route-map ISP deny 10
match ip address 100
!
route-map ISP permit 20
match ip address 103
set ip next-hop 192.168.0.5
!
route-map ISP permit 30
match ip address 104
set ip next-hop 192.168.0.9
!
radius-server host 80.92.205.34 auth-port 34009 acct-port 34008
radius-server retransmit 10
radius-server timeout 3
radius-server deadtime 1
radius-server key cisco
!
control-plane
!
!
line con 0
line aux 0
line 1/0 1/15
session-timeout 30
exec-timeout 30 0
script reset rscript
modem Dialin
modem autoconfigure type m_conf
transport input all
transport output all
autoselect during-login
autoselect ppp
line vty 0
access-class 2 in
authorization exec telnet
login authentication telnet
line vty 1 4
!
scheduler allocate 20000 1000
ntp server 204.123.2.5
!
end

Содержание

2 канала и разделение траффика,Сайко, 18:35 , 25-Ноя-05
- 2 канала и разделение траффика,asipin, 18:52 , 25-Ноя-05
  - 2 канала и разделение траффика,Сайко, 20:00 , 25-Ноя-05

Сообщения в этом обсуждении

"2 канала и разделение траффика"
Отправлено Сайко , 25-Ноя-05 18:35

Policy Based Routing
Собственно у тебя есть ip policy route-map MAP1 и ip policy route-map MAP2 но самих route-map что-то не видно...

"2 канала и разделение траффика"
Отправлено asipin , 25-Ноя-05 18:52

>Policy Based Routing
>
>Собственно у тебя есть ip policy route-map MAP1 и ip policy route-map
>MAP2 но самих route-map что-то не видно...
route-map ISP1-NAT permit 20
match ip address 103
set interface Loopback0
!
route-map ISP2-NAT permit 20
match ip address 104
set interface Loopback1
Они тоже есть......
Я так представляю себе работу этого всего.
ip nat pool ISP1-NatPool 80.92.205.35 80.92.205.37 netmask 255.255.255.248
ip nat pool ISP2-NatPool 213.170.116.70 213.170.116.70 netmask 255.255.255.252
ip nat inside source route-map ISP1-NAT pool ISP1-NatPool overload
ip nat inside source route-map ISP2-NAT pool ISP2-NatPool overload
Тут то что должно идти через route-map ISP1-NAT идет через ISP1-NatPool,
что должно идти через route-map ISP2-NAT идет через ISP2-NatPool
route-map ISP1-NAT permit 20
match ip address 103
set interface Loopback0
!
route-map ISP2-NAT permit 20
match ip address 104
set interface Loopback1
Ну и естественно, что попало в acl 103 идет через 1-й канал, а что через 104 - через 2-й.
Ну и соответственно, все порты до 1024 должны ходить через 1-й канал, остальное + пинг через второй.
Но не работает. Пинг ходит, а остальное работает минуты 3 первые и все....
И еще вопрос, циска сама правильно определяет куда после ната посылать пакет, на какой интерфейс, а то есть подозрение, что она пакеты занатенные для одного канала передает во второй. (А именно, пинг на спутнике всегда не менее 750, а на втором канале 20, дык вот, иногда пинг ровненько идет около 350-360, будьто-бы уходит езернетом, а возвращается спутником)

"2 канала и разделение траффика"
Отправлено Сайко , 25-Ноя-05 20:00

1. Ты для начала отдели мух от котлет, есть роутмапы для nat'а - это одно, а есть мапы для PBR.
2. Когда идет от тебя по одному пути а возращяется к тебе по другому - это называется ассиметрия, и это только зависит как я понимаю от провайдера - скорее всего у него статика на тебя.