Leszek
R.
IT ® Kaczmarek
Electric S.A. -
Hurtownie
Elektrotechniczn...
Temat: Load balancing z wykorzystaniem CEF
Witam Serdecznie,na routerze ( 1921 ) mam 3 x WAN i 1x LAN ( 2x Frame Relay, 1 DSL ) każdy skonfigurowany , ACL tak samo. Jednak problem zaczyna się gdy chce wpuscic ruch z zewnatrz ( z ip x.x.x.156 - będący w ACL101) na DSL ( GigabitEthernet 0/1 ) do konkretnego serwera ( 192.168.1.247 na porcie RDP 3389 ) i żeby powrót był tym samym interfejsem ( GigabitEthernet 0/1 ) a nie jak obecnie na sztywno trasa jest Serial0/0/0.1
Działa póki co wpuszczanie ruchu z zewnatrz na polpaku_1 ( Serial0/0/0.1) . Przypuszczam że problem lezy po stronie : ip nat inside source static tcp 192.168.1.247 3389 interface Serial0/0/0.1 3389 gdyz ta trasa jest dla osobnego interfejsu, a chciałbym też tą trasę przypisać do Gigabitethernet0/1 ) ale niestety na to Cisco nie pozwala..zatem pytanie jak rozwiązać to ?
Z "How to" doczytalem że powinno się zastosować Load balancing z kontrolą CEF. CEF mam uruchomiony, Load balancing jeszcze nie ...jednak nie chciałbym za dużo na raz pomieszać.
Rasumując chciałbym uzyskać : puka na WAN1 -->ruch do 192.168.1.247 na porcie RDP 3389 , odpowiada WAN1. Puka na WAN2 -->ruch do 192.168.1.247 na porcie RDP 3389 , odpowiada WAN2 itd ..ruch wychodządzy z LAN musi wyjść tym samym interfejsem do ruch wchodzący do LAN'a.
Poniżej konfiguracja :
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description DSL
ip address x.x.x.158 x.x.x.x
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address x.x.x.218 x.x.x.x
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Serial0/1/0
description Konfiguracja fizycznego interfejsu szeregowego x.x.x.x
no ip address
encapsulation frame-relay
no fair-queue
clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/1/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address x.x.x.234 x.x.x.x
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT x.x.x.218 x.x.x.218 netmask 255.255.255.252
ip nat pool POOL_NAT_ISP2 x.x.x.234 x.x.x.234 netmask 255.255.255.252
ip nat pool POOL_NAT_ISP3 x.x.x.158 x.x.x.158 netmask 255.255.255.248
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.247 3389 interface Serial0/0/0.1 3389
ip nat inside source static tcp 192.168.1.250 3389 interface Serial0/0/0.1 3388
ip nat inside source static tcp 192.168.1.237 3390 interface Serial0/0/0.1 3390
ip route 0.0.0.0 0.0.0.0 x.x.x.217
ip route 0.0.0.0 0.0.0.0 x.x.x.233
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host x.x.x.218 host x.x.x.158
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any eq 443 any
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit tcp host 92.43.119.10 eq 587 host 80.50.164.218
access-list 101 permit tcp host 92.43.119.27 eq pop3 host 80.50.164.218
access-list 101 permit tcp host 77.252.230.136 host x.x.x.218eq 3389
access-list 101 permit tcp host 78.10.48.191 host x.x.x.218eq 3389
access-list 101 permit tcp host 78.10.48.73 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.187.209.202 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.187.112.234 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.187.199.114 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.187.199.114 eq 6789 host 80.50.164.218
access-list 101 permit tcp host 79.187.199.114 range 9100 9101 host 80.50.164.218
access-list 101 permit tcp host 79.188.33.10 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.188.54.30 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.188.54.30 eq 6789 host 80.50.164.218
access-list 101 permit tcp host 79.188.54.30 range 9100 9102 host 80.50.164.218
access-list 101 permit tcp host 79.189.180.141 host x.x.x.218eq 3389
access-list 101 permit tcp host 79.190.43.218 host x.x.x.218eq 3389
access-list 101 permit tcp host x.x.x.218host x.x.x.218eq 3389
access-list 101 permit tcp host 80.53.218.46 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.3.230.242 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.3.230.242 eq 6789 host 80.50.164.218
access-list 101 permit tcp host 83.3.230.242 eq 9100 host 80.50.164.218
access-list 101 permit tcp host 83.0.155.250 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.13.197.178 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.13.197.178 host x.x.x.218eq 6789
access-list 101 permit tcp host 83.13.2.10 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.14.112.178 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.14.198.210 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.14.93.154 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.15.29.178 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.15.29.178 range 6789 6796 host 80.50.164.218
access-list 101 permit tcp host 83.15.29.178 range 9100 9108 host 80.50.164.218
access-list 101 permit tcp host 83.15.29.179 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.15.29.179 host x.x.x.218eq 6789
access-list 101 permit tcp host 83.16.103.158 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.16.103.158 eq 6789 host 80.50.164.218
access-list 101 permit tcp host 83.16.103.158 range 9100 9102 host 80.50.164.218
access-list 101 permit tcp host 83.16.249.74 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.47.170 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.62.122 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.40.142 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.221.86 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.55.166 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.62.66 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.17.237.10 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.18.140.154 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.18.140.155 host x.x.x.218range 3388 3389
access-list 101 permit tcp host 83.18.140.156 host x.x.x.218eq 3389
access-list 101 permit tcp host x.x.x.158host x.x.x.218eq 3389
access-list 101 permit tcp host 83.19.59.98 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.19.59.98 range 6789 6796 host 80.50.164.218
access-list 101 permit tcp host 83.19.59.98 range 9100 9109 host 80.50.164.218
access-list 101 permit tcp host 83.220.105.130 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.238.19.225 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.238.164.115 host x.x.x.218eq 3389
access-list 101 permit tcp host 83.238.213.51 host x.x.x.218eq 3389
access-list 101 permit tcp host 85.221.231.130 host x.x.x.218eq 3389
access-list 101 permit tcp host 89.238.39.239 host x.x.x.218eq 3389
access-list 101 permit tcp host 87.105.249.84 host x.x.x.218eq 3389
access-list 101 permit tcp host 87.105.53.110 host x.x.x.218eq 3389
access-list 101 permit tcp host 87.105.71.57 host x.x.x.218eq 3389
access-list 101 permit tcp host 89.77.218.77 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.48.95.82 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.48.229.154 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.48.225.146 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.50.207.106 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.50.42.66 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.50.230.210 host x.x.x.218eq 3389
access-list 101 permit tcp host 95.51.131.114 host x.x.x.218eq 3389
access-list 101 permit tcp host 109.231.40.56 host x.x.x.218eq 3389
access-list 101 permit tcp host 178.36.122.129 host x.x.x.218eq 3389
access-list 101 permit tcp host 178.56.116.191 host x.x.x.218eq 3389
access-list 101 permit tcp host 188.125.37.61 host x.x.x.218eq 3389
access-list 101 permit tcp host 188.125.37.216 host x.x.x.218eq 3389
access-list 101 permit tcp host 194.105.133.92 host x.x.x.218range 3388 3389
access-list 101 permit tcp host 194.105.133.141 host x.x.x.218eq 3389
access-list 101 permit tcp host 194.105.133.209 host x.x.x.218range 3388 3389
access-list 101 permit tcp host 194.105.133.211 host x.x.x.218eq 3389
access-list 101 permit tcp host 194.105.133.79 host x.x.x.218eq 3389
access-list 101 permit tcp host 195.114.167.72 host x.x.x.218eq 3388
access-list 101 permit tcp host 213.199.198.47 host x.x.x.218eq 3389
access-list 101 permit tcp host 217.98.13.235 host x.x.x.218eq 3389
access-list 101 permit tcp host 217.98.13.235 host x.x.x.218eq 6789
access-list 101 permit tcp host 83.13.197.178 eq 6789 host x.x.x.218range 1618 1647
access-list 101 permit tcp 83.15.29.177 0.0.0.2 eq 6789 host x.x.x.218range 2216 2217
access-list 101 permit tcp 91.214.237.0 0.0.0.255 eq 443 host 80.50.164.218
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host x.x.x.218eq ntp
access-list 101 permit udp any host x.x.x.218eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 remark CCP_ACL Category=17
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp any eq 587 any
access-list 102 permit tcp any eq 443 any
access-list 102 permit tcp any eq 3389 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit tcp host 194.105.133.92 any eq 3389
access-list 102 permit tcp host 95.40.239.126 any eq 3389
access-list 102 permit tcp host 194.105.133.209 any eq 3389
access-list 102 permit tcp any host 192.168.1.248 eq 3389
access-list 102 permit tcp any host 192.168.1.247 eq 3389
access-list 102 permit tcp any range 6789 6796 host 192.168.1.247
access-list 102 permit tcp any range 9100 9109 host 192.168.1.247
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
Byłbym wdzięczny za okazałą pomoc w rowziązaniu w/w problemu.
Pozdrawiam,
Leszek RutkowskiLeszek R. edytował(a) ten post dnia 31.05.12 o godzinie 07:57