策略路由和NAT实现负载均衡实例教程
2014-03-16 13:07
453 查看
一、组网需求:
1.正常情况下10.0.0.2从出口12.12.12.0NAT转化成100.0.0.0的地址,20.0.0.2从出口13.13.13.0NAT转化成200.0.0.0的地址,实现负载均衡。
2.FW双出口的某一条链路down,所有用户NAT成同一地址段出去,实现链路冗余。
二、实验组网
![](http://img.blog.csdn.net/20140316130525125?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvR2FsZHlz/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
四、关键配置
USG5360 (V100R003C01SPC007):
ip address-set 100and200 type object
address 0 10.0.0.0 mask 24
address 1 20.0.0.0 mask 24
#
ip address-set 10.0.0.2 type object
address 0 10.0.0.0 mask 24
#
ip address-set 20.0.0.2 type object
address 0 20.0.0.0 mask 24
#
acl number 3001
rule 0 permit ip source 10.0.0.0 0.255.255.255
acl number 3002
rule 0 permit ip source 20.0.0.0 0.255.255.255
#
nat address-group 100 NAT1 100.0.0.1 100.0.0.100
nat address-group 200 NAT2 200.0.0.1 200.0.0.100
#
traffic classifier 12
if-match acl 3001
traffic classifier 13
if-match acl 3002
#
traffic behavior 12
remark ip-nexthop 12.12.12.2 output-interface GigabitEthernet0/0/0
traffic behavior 13
remark ip-nexthop 13.13.13.2 output-interface GigabitEthernet0/0/1
#
qos policy re
classifier 12 behavior 12
classifier 13 behavior 13
#
interface GigabitEthernet0/0/0
ip address 12.12.12.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 13.13.13.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 20.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.0
# http://www.server-cn.com/
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
qos apply policy re outbound
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
#
firewall zone untrust
set priority 5
#
firewall zone name t100
set priority 10
add interface GigabitEthernet0/0/0
#
firewall zone name t200
set priority 11
add interface GigabitEthernet0/0/1
#
nat-policy interzone trust untrust outbound
#
nat-policy interzone trust t100 outbound
policy 0
action source-nat
policy source address-set 100and200 copyright
by http://www.server-cn.com/
address-group NAT1
#
nat-policy interzone trust t200 outbound
policy 0
action source-nat
policy source address-set 100and200
address-group NAT2
#
ip route-static 0.0.0.0 0.0.0.0 13.13.13.2
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
#
1.正常情况下10.0.0.2从出口12.12.12.0NAT转化成100.0.0.0的地址,20.0.0.2从出口13.13.13.0NAT转化成200.0.0.0的地址,实现负载均衡。
2.FW双出口的某一条链路down,所有用户NAT成同一地址段出去,实现链路冗余。
二、实验组网
四、关键配置
USG5360 (V100R003C01SPC007):
ip address-set 100and200 type object
address 0 10.0.0.0 mask 24
address 1 20.0.0.0 mask 24
#
ip address-set 10.0.0.2 type object
address 0 10.0.0.0 mask 24
#
ip address-set 20.0.0.2 type object
address 0 20.0.0.0 mask 24
#
acl number 3001
rule 0 permit ip source 10.0.0.0 0.255.255.255
acl number 3002
rule 0 permit ip source 20.0.0.0 0.255.255.255
#
nat address-group 100 NAT1 100.0.0.1 100.0.0.100
nat address-group 200 NAT2 200.0.0.1 200.0.0.100
#
traffic classifier 12
if-match acl 3001
traffic classifier 13
if-match acl 3002
#
traffic behavior 12
remark ip-nexthop 12.12.12.2 output-interface GigabitEthernet0/0/0
traffic behavior 13
remark ip-nexthop 13.13.13.2 output-interface GigabitEthernet0/0/1
#
qos policy re
classifier 12 behavior 12
classifier 13 behavior 13
#
interface GigabitEthernet0/0/0
ip address 12.12.12.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 13.13.13.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 20.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.0
# http://www.server-cn.com/
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
qos apply policy re outbound
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
#
firewall zone untrust
set priority 5
#
firewall zone name t100
set priority 10
add interface GigabitEthernet0/0/0
#
firewall zone name t200
set priority 11
add interface GigabitEthernet0/0/1
#
nat-policy interzone trust untrust outbound
#
nat-policy interzone trust t100 outbound
policy 0
action source-nat
policy source address-set 100and200 copyright
by http://www.server-cn.com/
address-group NAT1
#
nat-policy interzone trust t200 outbound
policy 0
action source-nat
policy source address-set 100and200
address-group NAT2
#
ip route-static 0.0.0.0 0.0.0.0 13.13.13.2
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
#
相关文章推荐
- Game of Wuxing
- Flappy Bird
- 机器学习——ROC
- 新店开张,活动多多,优惠多多,快来看吧
- fedora/linux yum源详细设置(强烈推荐)
- hibernate常见问题
- link 和 runtime-link,搭配shared 和 static
- 电脑取消开机密码的设置步骤(图)
- Hard Wuxing
- C++多态技术的实现和反思
- gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-2ubuntu1~12.04) 编译器的一个BUG(不是bug)
- 新店开张,活动多多,优惠多多,快来看吧
- 查看ORA错误
- node基础-文件系统-文件写操作
- 共享池之六:shared pool latch/ library cache latch /lock pin 简介
- Word使用
- 我的项目总结
- C# 根据列名与列值设置当前行
- C# 根据列名与列值设置当前行
- HDU1180——诡异的楼梯(BFS+优先队列)