Cisco IOS Cookbook 中文精簡版第二十一章 NAT

wade2007

21.1.  配置基本NAT功能

ONT-FAMILY: 宋體">提問 在路由器上啟用基本的NAT功能

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload

Router(config)#interface FastEthernet0/2

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注釋 例子中的配置實現(xiàn)了對地址段192.168.0.0/16訪問外部網(wǎng)絡重寫為172.16.1.5的功能，基本的地址翻譯功能

21.2.  動態(tài)分配外部地址

提問 從某個特定的地址池來動態(tài)分配地址

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注釋 ip nat inside source list 15 pool NATPOOL 定義了翻譯出去的地址池，如果地址池可以地址用完新的翻譯將不成功，如果加上了overload參數(shù)將會從第一個地址開始翻譯進行復用。另外這里的地址池并不一定要和outside端口的地址在同一網(wǎng)段，只要有相應的路由就可以

wade2007

21.3.  靜態(tài)分配外部地址

提問 翻譯某些特定的內(nèi)部地址為特定的外部地址

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注釋 靜態(tài)地址翻譯

21.4.  地址靜態(tài)和動態(tài)翻譯結合

提問 靜態(tài)和動態(tài)地址翻譯相結合

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0

Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL overload

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注釋 這里的控制列表把所要靜態(tài)內(nèi)部地址排除了，當然這一步也不是必須的，因為靜態(tài)翻譯的優(yōu)先級要高于動態(tài)翻譯的，不過靜態(tài)翻譯的外部地址必須要從動態(tài)翻譯的地址池中排除。

21.5.  使用Route Maps來進行翻譯規(guī)則控制

提問 使用Route Maps來進行更好的靜態(tài)地址翻譯

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 172.16.2.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/2

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload

Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload

Router(config)#route-map ISP-1 permit 10

Router(config-route-map)#match interface FastEthernet0/0

Router(config-route-map)#exit

Router(config)#route-map ISP-2 permit 10

Router(config-route-map)#match interface FastEthernet0/1

Router(config-route-map)#exit

Router(config)#end

Router#

注釋 適用于多個outside端口的情況

21.6.  同時兩個方向地址翻譯

提問 同時對內(nèi)部地址和外部地址進行翻譯

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 deny 192.168.1.15

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#access-list 16 deny 172.16.5.25

Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL overload

Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5

Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注釋 暫無

wade2007

21.7.  網(wǎng)絡前綴重寫

提問 簡單的改變某個網(wǎng)絡段的前綴

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat outside source static network 172.16.0.0 172.17.0.0 /16 no-alias

Router(config)#ip route 172.16.0.0 255.255.0.0 Ethernet1/0

Router(config)#ip route 172.17.0.0 255.255.0.0 Ethernet1/0

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.6 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注釋 適用于兩個網(wǎng)絡互訪而地址段沖突的情況

21.8.  使用NAT來進行服務器負荷分擔

提問 多個服務器使用同一IP地址從而實現(xiàn)應用的負荷分擔

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105 netmask 255.255.255.0 type rotary

Router(config)#access-list 20 permit host 192.168.1.100

Router(config)#ip nat inside destination list 20 pool WEBSERVERS

Router(config)#end

Router#

注釋 這里不同點在于使用了rotary的參數(shù)和使用了destination而不是source在翻譯規(guī)則中，當然這種是窮人的負載均衡解決方案

21.9.  基于狀態(tài)的NAT切換

提問 在高可用性網(wǎng)絡中部署NAT，這樣一臺設備壞掉的情況下另一臺可以切換起到NAT作用

回答

RouterA

Router-A#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router-A(config)#access-list 11 permit any

Router-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0

Router-A(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1

Router-A(config)#interface FastEthernet0/0

Router-A(config-if)#ip address 192.168.1.3 255.255.255.0

Router-A(config-if)#ip nat inside

Router-A(config-if)#standby 1 ip 192.168.1.1

Router-A(config-if)#standby 1 preempt

Router-A(config-if)#standby 1 name SNATGROUP

Router-A(config-if)#exit

Router-A(config)#interface Serial0/0

Router-A(config-if)#ip address 172.17.55.2 255.255.255.252

Router-A(config-if)#ip nat outside

Router-A(config-if)#exit

Router-A(config)#ip nat Stateful id 1

Router-A(config-ipnat-snat)#redundancy SNATGROUP

Router(config-ipnat-snat-red)#mapping-id 1

Router(config-ipnat-snat-red)#exit

Router-A(config)#end

Router-A#

RouterB

Router-B#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router-B(config)#access-list 11 permit any

Router-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0

Router-B(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1

Router-B(config)#interface FastEthernet0/0

Router-B(config-if)#ip address 192.168.1.2 255.255.255.0

Router-B(config-if)#ip nat inside

Router-B(config-if)#standby 1 ip 192.168.1.1

Router-B(config-if)#standby 1 priority 90

Router-B(config-if)#standby 1 preempt

Router-B(config-if)#standby 1 name SNATGROUP

Router-B(config-if)#exit

Router-B(config)#interface Serial0/0

Router-B(config-if)#ip address 172.17.55.6 255.255.255.252

Router-B(config-if)#ip nat outside

Router-B(config-if)#exit

Router-B(config)#ip nat Stateful id 1

Router-B(config-ipnat-snat)#redundancy SNATGROUP

Router(config-ipnat-snat-red)#mapping-id 1

Router(config-ipnat-snat-red)#exit

Router-B(config)#end

Router-B#

注釋 雖然說通過使用HSRP可以解決可用性的問題，但是不能同步NAT翻譯表，從12.2(13)T以后思科引入了基于狀態(tài)的NAT（SNAT），這樣可以保持兩臺設備的翻譯表同步，其關鍵命令為ip nat Stateful 要注意的是這里的Stateful是大寫開頭的，這里是區(qū)分大小寫的。另外SNAT只和HSRP連用，不能跟VRRP或者GLBP一起作用。同時也可以使用多組HSRP的形式來保持負載均衡。

wade2007

21.10.  調(diào)整NAT 時長

提問 調(diào)整NAT翻譯表中條目的時長

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat translation tcp-timeout 500

Router(config)#ip nat translation udp-timeout 30

Router(config)#ip nat translation dns-timeout 30

Router(config)#ip nat translation icmp-timeout 30

Router(config)#ip nat translation finrst-timeout 30

Router(config)#ip nat translation syn-timeout 30

Router(config)#end

Router#

也可以限制翻譯表的最大條目數(shù)

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat translation max-entries 1000

Router(config)#end

Router#

注釋 缺省TCP為24小時，UDP為5分鐘，DNS為1分鐘

21.11.  修改FTP的TCP端口

提問 FTP服務器使用非正常端口

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 19 permit 192.168.55.5

Router(config)#ip nat service list 19 ftp tcp port 8021

Router(config)#ip nat service list 19 ftp tcp port 21

Router(config)#end

Router#

注釋 在12.2(4)T后思科引入了no-payload關鍵詞來防止對數(shù)據(jù)包載荷的地址信息進行修改

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#ip nat inside source static 192.168.1.10 172.16.1.5 no-payload

Router(config)#end

Router#

21.12.  檢查NAT狀態(tài)

提問 查看當前NAT信息

回答

Router#show ip nat translation

Router#clear ip nat translation *

Router#clear ip nat translation inside 172.18.3.2

Router#clear ip nat translation outside 192.168.1.10

Router#show ip nat statistics

Router#clear ip nat statistics

注釋 Router#show ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

"Inside global" 為內(nèi)部設備翻譯的地址"Inside local"為內(nèi)部設備的真實地址"Outside local" 為外部設備翻譯的地址"Outside global" 為外部設備的真實地址，global addresses在outside, local addresses 在 inside.

<!--[if !supportLists]-->21.13.       <!--[endif]-->NAT排錯

提問 對NAT進行排錯

回答

Router#debug ip nat

Router#debug ip nat detailed

Router#debug ip nat 15

Router#debug ip nat 15 detailed

wade2007

Cisco IOS Cookbook 中文精簡版第二十二章第一跳冗余協(xié)議
22.1.  配置基本HSRP

提問 "FONT-FAMILY: 宋體">當主用路由器當?shù)粢院髠浞萋酚善骺梢越庸苤饔寐酚善鞯腎P地址和MAC地址

回答

Router1：

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#ip address 172.22.1.3 255.255.255.0

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2：

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet 1/0

Router2(config-if)#ip address 172.22.1.2 255.255.255.0

Router2(config-if)#standby 1 ip 172.22.1.1

Router2(config-if)#standby 1 priority 110

Router2(config-if)#exit

Router2(config)#end

Router2#

注釋 由于HSRP虛擬出來的MAC地址跟組相關，所以可能會出現(xiàn)同一交換機收到多個相同的MAC地址的情況，這時候就需要用standby 1 mac-address 0000.0c07.ad01 命令來人工指定一個MAC地址

<!--[if !supportLists]-->22.2.       <!--[endif]-->使用HSRP 強占特性

提問 強制某個路由器啟動后一直在組中處于主用狀態(tài)

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#standby 1 ip 172.22.1.1   

Router1(config-if)#standby 1 priority 120   

Router1(config-if)#standby 1 preempt     

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet 1/0

Router2(config-if)#standby 1 ip 172.22.1.1   

Router2(config-if)#standby 1 priority 110   

Router2(config-if)#standby 1 preempt      

Router2(config-if)#exit

Router2(config)#end

Router2#

注釋 正常情況下當LAN端口up后就會發(fā)生強占，而此時可能網(wǎng)絡還沒有收斂，所以建議配置強占延遲時間，讓路由器啟動后過一段時間再發(fā)起強占standby 1 preempt delay 60

22.3.  配置HSRP對接口問題追蹤的支持

提問 當主用路由器的上聯(lián)端口出現(xiàn)問題后主動切換到備用路由器

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 1 track Serial0/0 20

Router1(config-if)#exit

Router1(config)#end

Router1#

從12.2(15)T后引入更多可追蹤實例

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#track 11 interface Serial1/1 ip routing      

Router1(config-track)#exit                                    

Router1(config)#interface FastEthernet0/0

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120  

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 1 track 11 decrement 50

Router1(config-if)#end

Router1#

注釋 Router1#show track   

Track 11

  Interface Serial1/1 ip routing

  IP routing is Down (hw admin-down, ip disabled)

    1 change, last change 00:12:48

  Tracked by:

    HSRP FastEthernet0/0 1

wade2007

22.4.  HSRP負載均衡

提問 在兩臺或者多臺HSRP路由器上實現(xiàn)流量的負載均衡

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 172.22.1.3 255.255.255.0

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 2 ip 172.22.1.2

Router1(config-if)#standby 2 priority 110

Router1(config-if)#standby 2 preempt

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet1/0

Router2(config-if)#ip address 172.22.1.4 255.255.255.0

Router2(config-if)#standby 1 ip 172.22.1.1

Router2(config-if)#standby 1 priority 110

Router2(config-if)#standby 1 preempt

Router2(config-if)#standby 2 ip 172.22.1.2

Router2(config-if)#standby 2 priority 120

Router2(config-if)#standby 2 preempt

Router2(config-if)#exit

Router2(config)#end

Router2#

注釋 由于出現(xiàn)兩個網(wǎng)關，所以需要在終端設備上分開配置各自的缺省網(wǎng)關。

22.5.  HSRP中ICMP重定向

提問 在HSRP中啟用ICMP重定向

回答

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet 1/0

Router2(config-if)#no ip redirects           

Router2(config-if)#standby redirects disable

Router2(config-if)#exit

Router2(config)#end

Router2#

注釋

22.6.  調(diào)整HSRP定時器

提問 調(diào)整備份路由器接管主用路由器所需時長

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 1 timers 1 3

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 缺省Hello包時長為3秒，10秒后會接管，如果主用路由器調(diào)整時長，整個組內(nèi)的路由器都要調(diào)整為相同的時長。最短可以到達毫秒Router1(config-if)#standby 1 timers msec 100 msec 300

22.7.  在令牌環(huán)網(wǎng)絡中使用HSRP

提問 在令牌環(huán)網(wǎng)絡中配置HSRP

回答

如果只用IP協(xié)議配置同前面例子，如果還有其他協(xié)議，特別是使用了source-route bridging就用下面的配置方法

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface Tokenring0

Router1(config-if)#ip address 172.22.1.3

Router1(config-if)#standby ip 172.22.1.1

Router1(config-if)#standby use-bia

Router1(config-if)#standby priority 120

Router1(config-if)#standby preempt

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface Tokenring0

Router2(config-if)#ip address 172.22.1.2

Router2(config-if)#standby ip 172.22.1.1

Router2(config-if)#standby use-bia

Router2(config-if)#standby priority 110

Router2(config-if)#standby preempt

Router2(config-if)#exit

Router2(config)#end

Router2#

注釋 由于令牌環(huán)網(wǎng)絡會用到設備的MAC地址信息，所以如果HSRP用到虛擬MAC就會出問題，因此在配置中使用了burned-in address (BIA)來代替MAC來避免出現(xiàn)問題

wade2007

22.8.  配置HSRP 的SNMP支持

提問 啟用HSRP的SNMP Traps

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#snmp-server enable traps hsrp

Router1(config)#snmp-server host 172.25.1.1 ORATRAP

Router1(config)#end

Router1#

注釋 無

22.9.  增加HSRP的安全性

提問 提高HSRP的安全

回答

組內(nèi)設備使用相同的配置

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 authentication NEOSHI

Router1(config-if)#exit

Router1(config)#end

Router1#

從12.3(2)T后支持MD5加密密碼

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/1                        

Router1(config-if)#standby 1 ip 10.1.1.1                          

Router1(config-if)#standby 1 priority 200                        

Router1(config-if)#standby 1 authentication md5 key-string OREILLY

Router1(config-if)#end

Router1#

為了防止其他路由器成為主用路由器，設置本路由器高優(yōu)先級

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 255

Router1(config-if)#exit

Router1(config)#end

Router1#

注釋 無

22.10.  顯示HSRP狀態(tài)信息

提問 顯示HSRP狀態(tài)信息

回答

Router2#show standby

Router2#show standby FastEthernet 1/0

Router2#show standby brief

注釋

22.11.  HSRP排錯

提問 對HSRP進行排錯

回答

Router2#debug standby errors

Router2#debug standby events

Router2#debug standby packets

Router2#debug standby terse

注釋

22.12.  啟用HSRP 版本2

提問 部署HSRPv2

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/1         

Router1(config-if)#standby version 2                  

Router1(config-if)#standby 4095 ip 10.1.1.1           

Router1(config-if)#standby 4095 timers msec 15 msec 50

Router1(config-if)#standby 4095 priority 200         

Router1(config-if)#standby 4095 preempt               

Router1(config-if)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#standby version 2

Router2(config-if)#standby 4095 ip 10.1.1.1

Router2(config-if)#standby 4095 timers msec 15 msec 50

Router2(config-if)#standby 4095 priority 150

Router2(config-if)#standby 4095 preempt

Router2(config-if)#end

Router2#

注釋 從12.3(4)T后開始支持HSRPv2，主要是擴展了可用組數(shù)，從v1的256個組到現(xiàn)在的4095個組，使用不同的MAC地址和組播地址，因此不能混用

wade2007

22.13.  VRRP

提問 在思科路由器上啟用VRRP

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 10.1.1.2 255.255.255.0

Router1(config-if)#vrrp 1 ip 10.1.1.1

Router1(config-if)#vrrp 1 preempt

Router1(config-if)#vrrp 1 priority 200

Router1(config-if)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 10.1.1.3 255.255.255.0

Router2(config-if)#vrrp 1 ip 10.1.1.1

Router2(config-if)#vrrp 1 preempt

Router2(config-if)#vrrp 1 priority 150

Router2(config-if)#end

Router2#



注釋 注意在鑒權的配置上如果思科和非思科設備搭配可能會有問題。在配置定時器上只能配置Hello間隔，可以在主路由器上配置，備份路由器可以通過配置vrrp 1 timers learn 命令來自動學習，可以為配置添加描述，也支持Track

<!--[if !supportLists]-->22.14.       <!--[endif]-->GLBP

提問 配置GLBP來實現(xiàn)流量的自動負荷分擔

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 172.22.1.3 255.255.255.0

Router1(config-if)#glbp 1 ip 172.22.1.1

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 172.22.1.2 255.255.255.0

Router2(config-if)#glbp 1 ip 172.22.1.1

Router2(config-if)#exit

Router2(config)#end

Router2#

注釋 GLBP通過組內(nèi)設備輪回的相應虛擬MAC地址來實現(xiàn)自動的負荷分擔，當然也可以使用其他的分擔方式，比如權重等，這樣不需要通過配置多HSRP組的方式實現(xiàn)了均衡，并且所有設備使用同一的網(wǎng)關地址