一、配置目标:
R3正常情况下需要通过R1(防火墙)来访问R4 ,当R1-R2链路失效时,R3可以绕过R1(防火墙)继续访问R4。

拓扑结构:

R1模拟防火墙;
R2模拟三层交换机;
 

 

二、配置思路:
1、基础配置(IP地址、静态路由);
2、R2策略路由的配置;

三、详细配置:

r1#
r1#sh run
Building configuration...

Current configuration : 662 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
multilink bundle-name authenticated
!        
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 10.1.23.0 255.255.255.0 10.1.12.2
ip route 10.1.24.0 255.255.255.0 10.1.12.2
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end

r1#

--------------------------------------------------------------------------------------------------r2#sh run
*Mar  1 01:26:26.671: %SYS-5-CONFIG_I: Configured from console by consoleun
Building configuration...

Current configuration : 1156 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
multilink bundle-name authenticated
!        
track 111 rtr 1 reachability
!
interface FastEthernet0/0
 ip address 10.1.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.23.2 255.255.255.0
 ip policy route-map tt
 speed 100
 full-duplex
!        
interface FastEthernet1/0
 ip address 10.1.24.2 255.255.255.0
 ip policy route-map dd
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
!
ip sla 1
 icmp-echo 10.1.12.1
 frequency 10
ip sla schedule 1 life forever start-time now
access-list 111 permit ip 10.1.23.0 0.0.0.255 any
access-list 122 permit ip 10.1.24.0 0.0.0.255 any
!
route-map tt permit 10
 match ip address 111
 set ip next-hop verify-availability 10.1.12.1 1 track 111
!        
route-map dd permit 10
 match ip address 122
 set ip next-hop verify-availability 10.1.12.1 1 track 111
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end

r2#
r2#

--------------------------------------------------------------------------------------------------r3#
r3#sh run
Building configuration...

Current configuration : 449 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r3
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/0
 ip address 10.1.23.3 255.255.255.0
 speed 100
 full-duplex
!        
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.23.2
ip http server
!
line con 0
line aux 0
line vty 0 4
!
end

r3#
--------------------------------------------------------------------------------------------------r4#
r4#sh run
Building configuration...

Current configuration : 450 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/0
 ip address 10.1.24.4 255.255.255.0
 duplex auto
 speed auto
!        
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.24.2
ip http server
!
line con 0
line aux 0
line vty 0 4
!
end

r4#
-------------------------------------------------------------------------------------------------- 四、配置验证:

 -------------------------------------------------------------------------------------------------r4#
r4#
r4#ping 10.1.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 808/1125/1536 ms
r4#
r4#tra
r4#traceroute 10.1.23.3

Type escape sequence to abort.
Tracing the route to 10.1.23.3

  1 10.1.24.2 1064 msec 192 msec 404 msec
  2 10.1.12.1 536 msec 616 msec 424 msec
  3 10.1.12.2 468 msec 444 msec 608 msec
  4 10.1.23.3 976 msec 720 msec 700 msec
r4#

--------------------------------------------------------------------------------------------------r1#
r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#
r1(config)#int f0/0
r1(config-if)#
r1(config-if)#shut
r1(config-if)#
r1(config-if)#end
r1#
*Mar  1 01:38:38.987: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 01:38:39.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Mar  1 01:38:39.995: %SYS-5-CONFIG_I: Configured from console by console
r1#
r1#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.12.1       YES manual administratively down down   
FastEthernet0/1            unassigned      YES unset  administratively down down   
r1#

--------------------------------------------------------------------------------------------------r4#
r4#ping 10.1.23.3     

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 516/600/764 ms
r4#
r4#traceroute 10.1.23.3

Type escape sequence to abort.
Tracing the route to 10.1.23.3

  1 10.1.24.2 580 msec 308 msec 196 msec
  2 10.1.23.3 560 msec 484 msec 632 msec
r4#

--------------------------------------------------------------------------------------------------