溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
1、創建端口聚合,為保證端口冗余。使用LACP。并將相關端口劃入聚合組內。規劃agg1為LAN(連接客戶),agg2為WAN(連接多個帶寬)。
config
interface aggregate1
lacp enable
interface aggregate2
lacp enable
interface xethernet4/0
aggregate aggregate1
interface xethernet4/1
aggregate aggregate1
interface xethernet4/2
aggregate aggregate2
interface xethernet4/3
aggregate aggregate2
2、創建管理端口,并將管理端口加入trusst zone 允許ping http telnet ssh snmp,為保險,創建兩個管理口,做為互備使用。
interface aggregate1.100
zone "trust"
ip address 103.246.132.64 255.255.255.0
manage ping
manage http
manage https
manage telnet
manage ssh
manage snmp
interface aggregate2.120
zone "trust"
ip address 124.113.229.158 255.255.255.252
manage ping
manage http
manage https
manage telnet
manage ssh
manage snmp
no reverse-route 關閉逆向路由,數據過來后不會查本地路由表,直接從2.120返回
逆向路由可以理解成設備回包的時候將訪問過來的源ip當做目的地址然后查找設備上的路由表決定從哪個接口回包。
關閉逆向路由的意思就是通常理解的數據從哪個接口過來的,回包的時候就從哪個接口回包,沒有反向路由查詢的過程。
3、創建到客戶和互資源的子接口、互聯IP。
interface aggregate1.110
zone "trust"
ip address 10.10.110.2 255.255.255.252
description "jsyd"
manage ping
manage telnet
agg 1.110 是到客戶的互聯,加入到 trust zone
interface aggregate2.121
zone "untrust"
ip address 10.10.121.1 255.255.255.252
description "ahdx1"
manage telnet
manage ping
reverse-route prefer
exit
interface aggregate2.122
zone "untrust"
ip address 10.10.122.1 255.255.255.252
description "ahdx2"
manage ping
exit
interface aggregate2.123
zone "untrust"
ip address 10.10.123.1 255.255.255.252
description "wzdx1"
manage ping
manage telnet
exit
interface aggregate2.124
zone "untrust"
ip address 10.10.124.1 255.255.255.252
description "shjh-1"
manage ping
agg 2.121 2.122 2.123 2.124是分別到不同的出口的互聯。加入到 utrust zone。
4、創建客戶的地址段表和各帶寬NAT地址表。
address jsyd
ip 1.51.32.0/20
ip 1.51.48.0/21
ip 21.228.228.0/22
ip 43.254.84.0/22
ip 58.68.228.16/29
客戶的地址段
address ahdx1
ip 124.113.229.104/30
address ahdx2
ip 124.113.229.152/30
address wzdx1
ip 122.228.229.120/30
address shjh2
ip 117.21.164.128/30
各資源用來做NAT的地址段。
5、創建安全規則,確保trust 可以訪問 utrust
rule 1
action permit
src-zone trust
dst-zone untrust
src-addr jsyd
dst-addr Any
service Any
name 1
允許 trust zone訪問utrust zone
rule 2
action permit
src-zone untrust
dst-zone trust
src-addr Any
dst-addr Any
service Any
name 2
允許 utrust 訪問trust zone。
6、添加客戶的回程路由。
ip vrouter trust-vr
ip route 1.51.32.0/20 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 1.51.48.0/21 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 21.228.228.0/22 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 43.254.84.0/22 aggregate1.110 10.10.110.1 description jsyd-1104
ip route 58.68.228.16/29 aggregate1.110 10.10.110.1 description jsyd-1104
7、創建到不同出口的默認路由,由于設備是先匹配NAT規則后再進行路由,所以可以同時將所有出口都加成默認路由。
ip vrouter trust-vr
ip route 0.0.0.0/0 aggregate2.120 124.113.229.157
ip route 0.0.0.0/0 aggregate2.121 10.10.121.2 description ahyd1-1G
ip route 0.0.0.0/0 aggregate2.122 10.10.122.2 description ahyd2-1G
ip route 0.0.0.0/0 aggregate2.123 10.10.123.2 description wzdx-2G
ip route 0.0.0.0/0 aggregate2.124 10.10.124.2 description shjh2-1G
ip route 0.0.0.0/0 aggregate2.125 10.10.125.2 description shjh3-0.75G
8、創建NAT規則。
ip vrouter trust-vr
snatrule id 1 from jsyd to any eif aggregate2.121 trans-to address-book ahdx1 mode dynamicport sticky log
snatrule id 2 from jsyd to any eif aggregate2.122 trans-to address-book ahdx2 mode dynamicport sticky log
snatrule id 3 from jsyd to any eif aggregate2.123 trans-to address-book wzdx1 mode dynamicport sticky log
snatrule id 4 from jsyd to any eif aggregate2.124 trans-to address-book shjh2 mode dynamicport sticky log
使用多個出口做NAT時,默認情況數據包會逐個出口輪循,如果 使用dynamicport sticky 會出現各個出口流量不均的情況,因為sticky會將同一個會話保持到一個IP地址上。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
