- 使用策略路由,从教育网出去的,在教育网接口进行nat转换
- 访问教育网资源平时走教育网,故障走电信
- 访问internat走电信线路,故障走教育网
- 服务器静态绑定教育网ip,不管电信、联通、教育网都走教育网访问,所以服务器数据只能走教育网线路
- 如果学校内公网不进行nat转换,则route-map的acl只允许其它
R5: interface Loopback1 ip address 192.168.100.1 255.255.255.0//虚拟服务器地址 ! interface Loopback2 ip address 192.168.10.1 255.255.255.0//虚拟宿舍地址 ! interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0//通往出口路由 half-duplex ! ip route 0.0.0.0 0.0.0.0 10.1.1.2// 默认路由 R1: interface Ethernet0/0 ip address 10.1.1.2 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map test// 调用策略服务器网段走教育网 half-duplex ! interface Ethernet0/1 ip address 12.1.1.1 255.255.255.0//电信出口ip ip nat outside ip virtual-reassembly half-duplex ! interface Ethernet0/2 ip address 13.1.1.1 255.255.255.0//教育网出口ip ip nat outside ip virtual-reassembly half-duplex ! ! ip route 0.0.0.0 0.0.0.0 12.1.1.2//默认走电信 ip route 0.0.0.0 0.0.0.0 13.1.1.2 100/冗余备份走教育网 ip route 192.168.10.0 255.255.255.0 10.1.1.1//回指路由 ip route 192.168.100.0 255.255.255.0 10.1.1.1//回指路由 ip route 200.1.1.0 255.255.255.0 13.1.1.2//明细教育网路由 ! ip nat inside source route-map dianxing interface Ethernet0/1 overload//转换关联,电信走0/1 ip nat inside source route-map jiaoyuwang interface Ethernet0/2 overload//转换关联,教育网走0/2 ! access-list 1 permit 192.168.100.0 0.0.0.255//允许网段ACL no cdp log mismatch duplex ! route-map test permit 10//策略路由ACL-1下一跳 match ip address 1 set ip next-hop 13.1.1.2 ! route-map dianxing permit 10//策略路由 match interface Ethernet0/1 //定义匹配规则 set interface Ethernet0/1 //定义发出的数据包的出口 ! route-map jiaoyuwang permit 10 match interface Ethernet0/2 set interface Ethernet0/2 ! R2: interface Ethernet0/1 ip address 12.1.1.2 255.255.255.0 half-duplex ! interface Ethernet0/2 ip address 23.1.1.1 255.255.255.0 half-duplex ! ip route 0.0.0.0 0.0.0.0 23.1.1.2 R3: interface Ethernet0/1 ip address 34.1.1.1 255.255.255.0 half-duplex ! interface Ethernet0/2 ip address 13.1.1.2 255.255.255.0 half-duplex ! ip route 0.0.0.0 0.0.0.0 34.1.1.2 R4: interface Loopback1 ip address 100.1.1.1 255.255.255.0 ! interface Loopback2 ip address 200.1.1.1 255.255.255.0 ! interface Ethernet0/1 ip address 34.1.1.2 255.255.255.0 half-duplex ! interface Ethernet0/2 ip address 23.1.1.2 255.255.255.0 half-duplex ! ip route 12.1.1.0 255.255.255.0 23.1.1.1 ip route 13.1.1.0 255.255.255.0 34.1.1.1 ACL实现 ip nat inside source list 100 interface GigabitEthernet0/2 overload ip nat inside source list 101 interface GigabitEthernet0/1 overload ip classless ip route 200.1.1.0 255.255.255.0 13.1.1.2 ip route 0.0.0.0 0.0.0.0 12.1.1.2 ! ! access-list 100 permit ip any 200.1.1.0 0.0.0.255// 允许访问教育网200.1.1.0网段 access-list 100 deny ip any any access-list 101 deny ip any 200.1.1.0 0.0.0.255 access-list 101 permit ip any any