Доброго всем времени суток.
Задача такая:
-необходимо реализовать схему
http://img410.imageshack.us/my.php?image=twoisptunnelqc9.jpg
-из филиала должны идти 2 туннеля в ЦО желательно с балансировкой траффика по туннелям.
-все запросы из филиала в Инет должны идти сначала в туннель (попадать там на прокси-сервер) и выходить в Инет из ЦО.
-в ЦО должна быть балансировка траффика между двумя провайдерами.==========================Central Office Router==================================
!
hostname Central-Office
!ip cef
!
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.10 source-interface FastEthernet0/0.30
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 2.2.2.10 source-interface FastEthernet0/0.40
ip sla monitor schedule 2 life forever start-time now
!
!
!
track 100 rtr 1 reachability
!
track 200 rtr 2 reachability
!
!
interface Tunnel10
ip address 10.10.10.20 255.255.255.0
tunnel source FastEthernet0/0.30
tunnel destination 3.3.3.3
!
interface Tunnel20
ip address 20.20.20.20 255.255.255.0
tunnel source FastEthernet0/0.40
tunnel destination 3.3.3.3
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.20
description -=LAN=-
encapsulation dot1Q 20
ip address 200.200.200.200 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.30
description -=ISP1=-
encapsulation dot1Q 30
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.40
description -=ISP2=-
encapsulation dot1Q 40
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 20.20.20.0 0.0.0.255
network 200.200.200.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 1.1.1.10 track 100
ip route 0.0.0.0 0.0.0.0 2.2.2.10 track 200
!
!
ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0.30 overload
ip nat inside source route-map ISP2 interface FastEthernet0/0.40 overload
!
ip access-list extended NAT
permit ip any any
!
!
route-map ISP2 permit 10
match ip address NAT
match interface FastEthernet0/0.40
!
route-map ISP1 permit 10
match ip address NAT
match interface FastEthernet0/0.30
!
==========================Branch Office Router=============================
!
hostname Branch-Office
!
ip cef
!
!
!
!
interface Tunnel10
ip address 10.10.10.10 255.255.255.0
tunnel source FastEthernet0/0.30
tunnel destination 1.1.1.1
!
interface Tunnel20
ip address 20.20.20.10 255.255.255.0
tunnel source FastEthernet0/0.30
tunnel destination 2.2.2.2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.20
description -=LAN=-
encapsulation dot1Q 20
ip address 100.100.100.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.30
description -=ISP3=-
encapsulation dot1Q 30
ip address 3.3.3.3 255.255.255.0
ip nat outside
ip virtual-reassembly
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 20.20.20.0 0.0.0.255
network 100.100.100.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 200.200.200.200
ip route 1.1.1.0 255.255.255.0 3.3.3.10
ip route 2.2.2.0 255.255.255.0 3.3.3.10
!
!
ip http server
no ip http secure-server
ip nat inside source list nat interface FastEthernet0/0.30 overload
!
ip access-list extended nat
permit ip any any
!
!==============================sh ip route CO router=============================
Gateway of last resort is 2.2.2.10 to network 0.0.0.0
C 200.200.200.0/24 is directly connected, FastEthernet0/0.20
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0.30
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0.40
100.0.0.0/24 is subnetted, 1 subnets
D 100.100.100.0 [90/297246976] via 20.20.20.10, 01:19:50, Tunnel20
[90/297246976] via 10.10.10.10, 01:19:50, Tunnel10
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, Tunnel20
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Tunnel10
S* 0.0.0.0/0 [1/0] via 2.2.2.10
[1/0] via 1.1.1.10
==========================sh ip route Branch router================================
Gateway of last resort is 200.200.200.200 to network 0.0.0.0D 200.200.200.0/24 [90/297246976] via 20.20.20.20, 01:18:51, Tunnel20
[90/297246976] via 10.10.10.20, 01:18:51, Tunnel10
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 3.3.3.10
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 [1/0] via 3.3.3.10
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, FastEthernet0/0.20
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, FastEthernet0/0.30
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, Tunnel20
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Tunnel10
S* 0.0.0.0/0 [1/0] via 200.200.200.200=====================================пинг и трейс в сеть ЦО
Branch-Office#ping 200.200.200.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msBranch-Office#traceroute 200.200.200.202
Type escape sequence to abort.
Tracing the route to 200.200.200.2021 10.10.10.20 4 msec
20.20.20.20 4 msec
10.10.10.20 4 msec
2 * * *
3 * * *
4 * * *
5 * * *============================пинг трейс во внешнюю сеть
Branch-Office#ping 4.4.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)Branch-Office#traceroute 4.4.4.10
Type escape sequence to abort.
Tracing the route to 4.4.4.101 10.10.10.20 4 msec
20.20.20.20 4 msec
10.10.10.20 4 msec
2 * * *
3 * * *============================пинг и трейс во внешнюю сеть с Central-Office Router
Central-Office#ping 4.4.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msCentral-Office#traceroute 4.4.4.10
Type escape sequence to abort.
Tracing the route to 4.4.4.101 2.2.2.10 0 msec
1.1.1.10 0 msec
2.2.2.10 0 msec
Подскажите в чем я не прав...
В центральном офисе используйте PBR (ip local policy), чтобы туннели строились через нужных провайдеров.
>В центральном офисе используйте PBR (ip local policy), чтобы туннели строились через
>нужных провайдеров.в сети нашел что-то похожее.
я правильно понимаю, что надо сделать примерно так:!
ip local policy route-map rm_local
!
ip access-list extended local_isp1
permit ip host 1.1.1.1 any
ip access-list extended local_isp2
permit ip host 2.2.2.2 any
!
route-map rm_local permit 10
match ip address local_isp1
match interface FastEthernet0.30
set ip next-hop 1.1.1.10
!
route-map rm_local permit 20
match ip address local_isp2
match interface FastEthernet0.40
set ip next-hop 2.2.2.10
!?
=)
>[оверквотинг удален]
>
>Type escape sequence to abort.
>Tracing the route to 4.4.4.10
>
> 1 2.2.2.10 0 msec
> 1.1.1.10 0 msec
> 2.2.2.10 0 msec
>
>
>Подскажите в чем я не прав...Такое ощущение, что пакеты из филиала уходя по одому туннелю,
а обратные приходят по другому.
>[оверквотинг удален]
>>
>> 1 2.2.2.10 0 msec
>> 1.1.1.10 0 msec
>> 2.2.2.10 0 msec
>>
>>
>>Подскажите в чем я не прав...
>
> Такое ощущение, что пакеты из филиала уходя по одому туннелю,
> а обратные приходят по другому.Хотя нет, tunnel20 выбран с обоих сторон.
>[оверквотинг удален]
>>> 1 2.2.2.10 0 msec
>>> 1.1.1.10 0 msec
>>> 2.2.2.10 0 msec
>>>
>>>
>>>Подскажите в чем я не прав...
>>
>> Такое ощущение, что пакеты из филиала уходя по одому туннелю,
>> а обратные приходят по другому.
>Мне кажется надо применять команду variance в настройке
eigrp, чтбы корректно работала балансировка по туннелям.
> Branch-Office#ping 4.4.4.10
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 4.4.4.10, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)Трафик приходя из туннеля, сразу уходит к вашему прову, при этом не попадая в нат.
ip nat in на туннельных интерфейсах и соответственно добавить в роут-мап их же.
>Доброго всем времени суток.
>Задача такая:
>-необходимо реализовать схему
> http://img410.imageshack.us/my.php?image=twoisptunnelqc9.jpg
>-из филиала должны идти 2 туннеля в ЦО желательно с балансировкой траффика
>по туннелям.
>-все запросы из филиала в Инет должны идти сначала в туннель (попадать
>там на прокси-сервер) и выходить в Инет из ЦО.
>-в ЦО должна быть балансировка траффика между двумя провайдерами.что в итоге получилось:
==============================Branch-Office=======================================hostname Branch-Office
!
boot-start-marker
boot-end-marker
!
ip cef
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 cisco address 1.1.1.1
crypto isakmp key 6 cisco address 2.2.2.2
!
!
crypto ipsec transform-set to_CO esp-des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set to_CO
match address VPN
!
!
!
!
interface Tunnel10
ip address 10.10.10.10 255.255.255.0
tunnel source FastEthernet0/0.30
tunnel destination 1.1.1.1
!
interface Tunnel20
ip address 20.20.20.10 255.255.255.0
tunnel source FastEthernet0/0.30
tunnel destination 2.2.2.2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.20
description -=LAN=-
encapsulation dot1Q 20
ip address 100.100.100.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.30
description -=ISP3=-
encapsulation dot1Q 30
ip address 3.3.3.3 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map VPN
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 20.20.20.0 0.0.0.255
network 100.100.100.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 200.200.200.200
ip route 1.1.1.0 255.255.255.0 3.3.3.10
ip route 2.2.2.0 255.255.255.0 3.3.3.10
!
!
ip http server
no ip http secure-server
ip nat inside source list nat interface FastEthernet0/0.30 overload
!
ip access-list extended VPN
permit gre host 3.3.3.3 host 1.1.1.1
permit gre host 3.3.3.3 host 2.2.2.2
ip access-list extended nat
permit ip any any
!
!
end===========================Branch-Office#sh cry isa sa===============================
dst src state conn-id slot status
3.3.3.3 2.2.2.2 QM_IDLE 2 0 ACTIVE
1.1.1.1 3.3.3.3 QM_IDLE 3 0 ACTIVE
3.3.3.3 1.1.1.1 QM_IDLE 1 0 ACTIVE===========================Branch-Office#sh cry ipsec sa=============================
interface: FastEthernet0/0.30
Crypto map tag: VPN, local addr 3.3.3.3protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 398, #pkts encrypt: 398, #pkts digest: 398
#pkts decaps: 4000, #pkts decrypt: 4000, #pkts verify: 4000
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0local crypto endpt.: 3.3.3.3, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.30
current outbound spi: 0xBF147EDE(3205791454)inbound esp sas:
spi: 0xA5CE16D1(2781746897)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: SW:9, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4397252/1881)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBF147EDE(3205791454)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: SW:10, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4397282/1879)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.30
current outbound spi: 0x847012B9(2221937337)inbound esp sas:
spi: 0x6495A3BA(1687528378)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: SW:5, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4444329/1878)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xBC3BB95B(3158030683)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: SW:7, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4381056/1878)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:inbound pcp sas:
outbound esp sas:
spi: 0xC348DFAA(3276332970)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4444329/1877)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x847012B9(2221937337)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: SW:8, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4381504/1877)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4396, #pkts encrypt: 4396, #pkts digest: 4396
#pkts decaps: 623, #pkts decrypt: 623, #pkts verify: 623
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0local crypto endpt.: 3.3.3.3, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.30
current outbound spi: 0x7C4DDA22(2085476898)inbound esp sas:
spi: 0x1C76345D(477508701)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4387839/1876)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x4C43BBFA(1279507450)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4468179/1875)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x241FAF19(606056217)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: SW:11, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4524720/1875)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2ACF5F44(718233412)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4387839/1873)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x8AC80B7F(2328365951)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4468179/1873)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x7C4DDA22(2085476898)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: SW:12, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4524427/1873)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.30
current outbound spi: 0xAE5E70F2(2925424882)inbound esp sas:
spi: 0x9736794A(2536929610)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2013, flow_id: SW:13, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4564630/1874)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAE5E70F2(2925424882)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2014, flow_id: SW:14, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4564411/1872)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
=====================================Branch-Office#sh ip route======================Gateway of last resort is 200.200.200.200 to network 0.0.0.0
D 200.200.200.0/24 [90/297246976] via 20.20.20.20, 00:29:20, Tunnel20
[90/297246976] via 10.10.10.20, 00:29:20, Tunnel10
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 3.3.3.10
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 [1/0] via 3.3.3.10
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, FastEthernet0/0.20
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, FastEthernet0/0.30
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, Tunnel20
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Tunnel10
S* 0.0.0.0/0 [1/0] via 200.200.200.200==============================Branch-Office#ping 4.4.4.10===========================
==============================Внешняя сеть==========================================Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms==============================Branch-Office#traceroute 4.4.4.10=====================
Type escape sequence to abort.
Tracing the route to 4.4.4.101 20.20.20.20 8 msec
10.10.10.20 8 msec
20.20.20.20 8 msec
2 1.1.1.10 8 msec 8 msec *
Branch-Office#==============================Central-Office#=======================================
!
hostname Central-Office
!
ip cef
!
!
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.10 source-interface FastEthernet0/0.30
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 2.2.2.10 source-interface FastEthernet0/0.40
ip sla monitor schedule 2 life forever start-time now
!
!
track 100 rtr 1 reachability
!
track 200 rtr 2 reachability
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 cisco address 3.3.3.3
!
!
crypto ipsec transform-set to_BO esp-des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set to_BO
match address VPN
!
!
!
!
interface Tunnel10
ip address 10.10.10.20 255.255.255.0
ip nat inside
ip virtual-reassembly
tunnel source FastEthernet0/0.30
tunnel destination 3.3.3.3
!
interface Tunnel20
ip address 20.20.20.20 255.255.255.0
ip nat inside
ip virtual-reassembly
tunnel source FastEthernet0/0.40
tunnel destination 3.3.3.3
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.20
description -=LAN=-
encapsulation dot1Q 20
ip address 200.200.200.200 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.30
description -=ISP1=-
encapsulation dot1Q 30
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map VPN
!
interface FastEthernet0/0.40
description -=ISP2=-
encapsulation dot1Q 40
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map VPN
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 20.20.20.0 0.0.0.255
network 200.200.200.0
no auto-summary
!
ip local policy route-map rm_local
ip route 0.0.0.0 0.0.0.0 1.1.1.10 track 100
ip route 0.0.0.0 0.0.0.0 2.2.2.10 track 200
!
!
ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0.30 overload
ip nat inside source route-map ISP2 interface FastEthernet0/0.40 overload
!
ip access-list extended VPN
permit gre host 1.1.1.1 host 3.3.3.3
permit gre host 2.2.2.2 host 3.3.3.3
ip access-list extended local_ISP1
permit ip host 1.1.1.1 any
ip access-list extended local_ISP2
permit ip host 2.2.2.2 any
!
!
route-map rm_local permit 10
match ip address local_ISP1
match interface FastEthernet0/0.30
set ip next-hop 1.1.1.10
!
route-map rm_local permit 20
match ip address local_ISP2
match interface FastEthernet0/0.40
set ip next-hop 2.2.2.10
!
route-map ISP2 permit 10
match interface FastEthernet0/0.40
!
route-map ISP1 permit 10
match interface FastEthernet0/0.30
!
!
!
end==================================Central-Office#sh cry isa sa========================
dst src state conn-id slot status
3.3.3.3 2.2.2.2 QM_IDLE 3 0 ACTIVE
3.3.3.3 1.1.1.1 QM_IDLE 1 0 ACTIVE
1.1.1.1 3.3.3.3 QM_IDLE 2 0 ACTIVE==================================Central-Office#sh cry ipsec sa======================
interface: FastEthernet0/0.30
Crypto map tag: VPN, local addr 1.1.1.1protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 288, #pkts encrypt: 288, #pkts digest: 288
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.30
current outbound spi: 0xA5CE16D1(2781746897)inbound esp sas:
spi: 0xBF147EDE(3205791454)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: SW:9, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4498334/1646)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA5CE16D1(2781746897)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: SW:10, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4498300/1642)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 375, #pkts encrypt: 375, #pkts digest: 375
#pkts decaps: 2841, #pkts decrypt: 2841, #pkts verify: 2841
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.30
current outbound spi: 0x241FAF19(606056217)inbound esp sas:
spi: 0x2ACF5F44(718233412)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4474900/1636)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x8AC80B7F(2328365951)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4601386/1629)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x7C4DDA22(2085476898)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: SW:11, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4481052/1629)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1C76345D(477508701)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4474900/1627)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x4C43BBFA(1279507450)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4601386/1627)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x241FAF19(606056217)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: SW:12, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4481388/1627)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
interface: FastEthernet0/0.40
Crypto map tag: VPN, local addr 2.2.2.2protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4316, #pkts encrypt: 4316, #pkts digest: 4316
#pkts decaps: 436, #pkts decrypt: 436, #pkts verify: 436
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 7, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.40
current outbound spi: 0xBC3BB95B(3158030683)inbound esp sas:
spi: 0xC348DFAA(3276332970)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: SW:5, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4483663/1621)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x847012B9(2221937337)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: SW:7, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4592485/1621)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6495A3BA(1687528378)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: SW:6, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4483663/1620)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xBC3BB95B(3158030683)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: SW:8, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4591969/1620)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 348, #pkts encrypt: 348, #pkts digest: 348
#pkts decaps: 2228, #pkts decrypt: 2228, #pkts verify: 2228
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.40
current outbound spi: 0x9736794A(2536929610)inbound esp sas:
spi: 0xAE5E70F2(2925424882)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2013, flow_id: SW:13, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4439107/1621)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9736794A(2536929610)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2014, flow_id: SW:14, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4439360/1619)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
====================================Central-Office#sh ip route=======================
Gateway of last resort is 2.2.2.10 to network 0.0.0.0
C 200.200.200.0/24 is directly connected, FastEthernet0/0.20
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0.30
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0.40
100.0.0.0/24 is subnetted, 1 subnets
D 100.100.100.0 [90/297246976] via 20.20.20.10, 00:34:04, Tunnel20
[90/297246976] via 10.10.10.10, 00:34:04, Tunnel10
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, Tunnel20
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Tunnel10
S* 0.0.0.0/0 [1/0] via 2.2.2.10
[1/0] via 1.1.1.10===================================Central-Office#sh track===========================
Track 100
Response Time Reporter 1 reachability
Reachability is Up
2 changes, last change 01:52:51
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Track 200
Response Time Reporter 2 reachability
Reachability is Up
2 changes, last change 01:52:51
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Central-Office#Может есть какие-нибудь замечания? =)
Как я понимаю балансировка должна быть per destanation... как бы в лабораторных условиях протестить балансировку по провайдерам и по туннелям?=)