4321路由器配置
分类:
开启ssh
hostname cisco4321
ip domain-name eee.com
username root password 111111
username root privilege 15
crypto key generate rsa //提示框输入1024的即可
ip ssh version 2
line vty 0 4
transport input ssh
login local
enable password 222222
1. 外网1口配置
interface GigabitEthernet0/0/0 //isp1
ip address 111.111.111.111 255.255.255.252
ip nat outside
ip access-group in-acl in
crypto map vpnmap
1. 外网2口配置
interface GigabitEthernet0/0/1 //isp2
ip address 222.222.222.222 255.255.255.252
ip nat outside
ip access-group in-acl in
内网口配置
interface vlan 1
ip address 172.16.1.1 255.255.255.248 //一般路由模式不用配置DHCP,如果非路由模式可以配置DHCP
ip nat inside
ip access-group out-acl in
ip policy route-map routemap
配置NAT,匹配做豁免的IP
ip access-list extended nonat
deny ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 any //这里千万注意不能用any any
route-map isp1 permit 10
match ip address nonat
match interface gigabitEthernet 0/0/0
route-map isp2 permit 10
match ip address nonat
match interface gigabitEthernet 0/0/1
做地址转换
ip nat inside source route-map isp1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map isp2 interface GigabitEthernet0/0/1 overload
配置sla
ip sla 10
icmp-echo 111.111.111.110 source-interface GigabitEthernet0/0/0
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 222.222.222.221 source-interface GigabitEthernet0/0/1
frequency 5
ip sla schedule 20 life forever start-time now
track 10 ip sla 10 reachability
track 20 ip sla 20 reachability
配置浮动路由
ip route 0.0.0.0 0.0.0.0 111.111.111.110 10 track 10
ip route 0.0.0.0 0.0.0.0 222.222.222.221 20 track 20
ip route 192.168.50.0 255.255.255.0 172.16.1.2
配置route-map
1.匹配VPN的流量走VPN线路
2.匹配办公业务的走isp1
3.匹配一组对象走isp1
4.匹配一组对象走isp2
定义走vpn的ACL
ip access-list extended forvpn
permit ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255
定义business组的ACL
object-group network business
host 1.1.1.1
ip access-list extended BUSINESS
permit ip any object-group business
定义走ISP1的ACL
object-group network aaa
host 192.168.50.100
ip access-list extended AAA
permit ip object-group aaa any
定义走ISP2的ACL
object-group network bbb
host 192.168.50.101
ip access-list extended BBB
permit ip object-group bbb any
设置route-map关联上述ACL
rouete-map routemap permit 10
match ip address forvpn
set next-hop verify-availability 111.111.111.110 10 track 10
route-map routemap permit 20
match ip address BUSINESS
set next-hop verify-availability 111.111.111.110 10 track 10
set next-hop verify-availability 222.222.222.221 20 track 20
route-map routemap permit 20
match ip address AAA
set next-hop verify-availability 111.111.111.110 10 track 10
set next-hop verify-availability 222.222.222.221 20 track 20
route-map routemap permit 20
match ip address BBB
set next-hop verify-availability 222.222.222.221 10 track 20
set next-hop verify-availability 111.111.111.110 20 track 10
应用到接口
interface vlan 1
ip policy route-map routemap
