Cisco双出口策略实现的步骤与方法

策略路由

策略路由，是一种比基于目标网络进行路由更加灵活的数据包路由转发机制。路由器将通过路由图决定如何对需要路由的数据包进行处理，路由图决定了一个数据包的下一跳转发路由器。

Cisco 双出口策略实现的步骤：

复制代码

代码如下:

ROUTER>EN
ROUTER#CONFIG T
Router(Config)>int fa 0/0
Router(Config-if)>ip addr 192.168.0.1 255.255.255.0
Router(Config-if)>ip nat inside
Router(Config-if)>ip policy route-map dual_isp
Router(Config-if)>int fa 0/1
Router(Config-if)>ip addr 电信分配的地址
Router(Config-if)>no shut
Router(Config-if)>ip nat outside
Router(Config-if)>int fa 1/0
Router(Config-if)>ip addr 网通分配的地址
Router(Config-if)>no shut
Router(Config-if)>ip nat outside
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.102.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.11.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.21.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.24.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.26.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.27.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.28.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.56.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.60.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.62.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.67.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.68.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 218.7.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.141.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.142.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.154.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.156.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.158.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 219.159.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.102.224.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.106.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.107.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.108.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.110.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.110.192.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.111.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.96.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.96.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.97.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.98.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 202.99.0.0 255.255.255.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.0.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.10.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.11.192.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.12.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.12.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.13.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.192.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.196.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.32.0 255.255.240.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.199.192.0 255.255.240.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.200.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.204.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.207.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.208.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.4.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.6.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.64.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.7.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 221.8.0.0 255.254.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.128.0.0 255.240.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.160.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 222.163.0.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.0.0.0 255.248.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.8.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.10.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.12.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.13.0.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.13.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.16.0.0 255.240.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.208.0.0 255.248.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 60.220.0.0 255.252.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.133.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.134.96.0 255.255.224.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.134.128.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.135.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.136.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.138.0.0 255.255.128.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.138.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.139.128.0 255.255.192.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.148.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.149.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.156.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.158.0.0 255.255.0.0
Router(Config)>Access-list 101 permit Ip 192.168.0.0 0.0.0.255 61.159.0.0 255.255.192.0
Router(Config)>Access-list 102 permit Ip any any
Router(Config)>Ip Nat Inside Source Route-map CT_NAT int fa 0/1 overload
Router(Config)>Ip Nat Inside Source Route-map CNC_NAT int fa 1/0 overload
Router(Config)>Route-map CT_NAT Permit 10
Router(Config-route-map)>Match Int Fa 0/1 (这里不会匹配外面发给它的包，因为DNAT优先于路由选择)
Router(Config)>Route-map CNC_NAT Permit 10
Router(Config-route-map)>Match Int fa1/0 (指这个接口所收到的所有包除了DNAT匹配的，会先进行目标转换,这样目标并不会是FA1/0,而是内部的一个IP，这里其实可以写next-hop 便于理解，也便于检测对方的存在)
Router(Config)>Route-map dual_isp Permit 10
Router(Config-route-map)>Match Ip address 101

Router(Config-route-map)>set ip next-hop 网通网关 电信网关(这里恰好把包发给了NAT所需要的接口，注意这里只是改变了包的下一跳而不是目标。还要注意这里并不是把包扔给了next-hop而是改变了 寻路方式，转发将在此之后进行寻路,之后便是源地址转换：路由器2大功能寻路，转发是分开的，由此可以看出，如果策略NAT里匹配的是对方ISP的地址为 下一跳，那可以检测对方的存在与否)

Router(Config)>Route-map dual_isp Permit 20

Router(Config-route-map)>Match Ip address 102

Router(Config-route-map)>set ip next-hop 电信网关 网通网关

Router(Config)>Ip Route 0.0.0.0 0.0.0.0 电信网关

Router(Config)>Ip Route 0.0.0.0 0.0.0.0 网通网关

(注意 PBR优先于路由，而源地址转换路由又优先于NAT,那PBR会比NAT先进行，所以首先因该是进行PBR把包分类，扔给2个出口，之后再做路由选择路由 是默认的没什么，之后就是NAT了，策略一看在2出口上收到的包分别进行自己的策略NAT，当回来的时候，2个出口上收到的包并不会进行源转换为什么?因 为DNAT优先于路由，SNAT比路由还慢,所以DNAT是最先进行的。还有match next hop 匹配多个下一跳是与的关系,也就是说要满足全部的match才会用动作,所以前面不能match多个nexthop，否则一定砸了，只能match一个 nexthop,当然set可以set多个。 )

此策略路由和策略nat说明：目的地址为网通地址的包全部发给网通网关，其他一律发给电信，由于网通地址段较少，所以选择了做网通的acl条目，减轻工作 量。

以上就是用Cisco路由器双出口策略实现的步骤与方法，策略nat部分也可以用match acl的方式，但是发现实际速度很慢，不知道原因，可能是需要逐条匹配吧。但是最好用match interface的方式，因为只有这样才能实现备份，如果接口down掉，就不会在match接口，但是如果用acl，则会因为永远match而pat 成已经down掉接口的地址，但是路由会从另一接口走掉，同样很慢了就。地址段在今后逐渐补全。trace分析表明：基本上包都走对路了。而且速度比原来 单接口时访问其他isp网明显加快了。谢谢阅读，希望能帮到大家，请继续关注脚本之家，我们会努力分享更多优秀的文章。