一、组网需求:
1.正常情况下10.0.0.2从出口12.12.12.0NAT转化成100.0.0.0的地址,20.0.0.2从出口13.13.13.0NAT转化成200.0.0.0的地址,实现负载均衡。
2.FW双出口的某一条链路down,所有用户NAT成同一地址段出去,实现链路冗余。
二、实验组网
四、关键配置
USG5360 (V100R003C01SPC007):
ip address-set 100and200 type object
address 0 10.0.0.0 mask 24
address 0 10.0.0.0 mask 24
address 1 20.0.0.0 mask 24
#
ip address-set 10.0.0.2 type object
address 0 10.0.0.0 mask 24
address 0 10.0.0.0 mask 24
#
ip address-set 20.0.0.2 type object
address 0 20.0.0.0 mask 24
address 0 20.0.0.0 mask 24
#
acl number 3001
rule 0 permit ip source 10.0.0.0 0.255.255.255
rule 0 permit ip source 10.0.0.0 0.255.255.255
acl number 3002
rule 0 permit ip source 20.0.0.0 0.255.255.255
#
nat address-group 100 NAT1 100.0.0.1 100.0.0.100
nat address-group 200 NAT2 200.0.0.1 200.0.0.100
nat address-group 200 NAT2 200.0.0.1 200.0.0.100
#
traffic classifier 12
if-match acl 3001
traffic classifier 13
if-match acl 3002
if-match acl 3002
#
traffic behavior 12
remark ip-nexthop 12.12.12.2 output-interface GigabitEthernet0/0/0
traffic behavior 13
remark ip-nexthop 13.13.13.2 output-interface GigabitEthernet0/0/1
#
qos policy re
classifier 12 behavior 12
classifier 13 behavior 13
#
interface GigabitEthernet0/0/0
ip address 12.12.12.1 255.255.255.252
ip address 12.12.12.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 13.13.13.1 255.255.255.252
ip address 13.13.13.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 20.0.0.1 255.255.255.0
ip address 20.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.0
# http://www.server-cn.com/
firewall zone local
set priority 100
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
qos apply policy re outbound
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
qos apply policy re outbound
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
#
firewall zone untrust
set priority 5
#
firewall zone name t100
set priority 10
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/0
#
firewall zone name t200
set priority 11
add interface GigabitEthernet0/0/1
set priority 11
add interface GigabitEthernet0/0/1
#
nat-policy interzone trust untrust outbound
#
nat-policy interzone trust t100 outbound
policy 0
policy 0
action source-nat
policy source address-set 100and200 copyright by http://www.server-cn.com/
address-group NAT1
address-group NAT1
#
nat-policy interzone trust t200 outbound
policy 0
action source-nat
policy source address-set 100and200
address-group NAT2
#
ip route-static 0.0.0.0 0.0.0.0 13.13.13.2
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
policy source address-set 100and200
address-group NAT2
#
ip route-static 0.0.0.0 0.0.0.0 13.13.13.2
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
#
扫一扫
1878
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
