企業網環境中,客戶通常會部署多條運營商線路。同一臺服務器的不同端口會通過不同運營商線的線路發佈出去。也有客戶會問:無法通過ISP2的地址管理設備。我們通過簡單的路由實例就可以實現這一要求。
實驗拓撲:
實驗需求:1.客戶通過電信訪問服務器8080端口,通過聯通ip訪問服務器80端口;
2.(後續)SRX監控電信的443端口,一旦443單口被封掉,業務立即切換到聯通ip的443。
實驗配置:
1.接口:
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.2/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.10.1/24
2.主路由inet.0:
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options static route 172.188.10.0/24 next-hop st0.1
3.路由實例:
set routing-options interface-routes rib-group inet share
set routing-options rib-groups share import-rib inet.0
set routing-options rib-groups share import-rib isp2.inet.0
set routing-instances isp2 instance-type virtual-router
set routing-instances isp2 interface ge-0/0/1.0
set routing-instances isp2 routing-options static route 0.0.0.0/0 next-hop 10.10.10.1
4.NAT設置:
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat interface
set security nat source rule-set 2 from zone trust
set security nat source rule-set 2 to zone isp2
set security nat source rule-set 2 rule 2 match source-address 0.0.0.0/0
set security nat source rule-set 2 rule 2 match destination-address 0.0.0.0/0
set security nat source rule-set 2 rule 2 then source-nat interface
set security nat destination pool test address 172.16.10.2/32
set security nat destination pool test address port 23
set security nat destination pool test_web address 172.16.10.2/32
set security nat destination pool test_web address port 8080
set security nat destination rule-set 1 from zone isp2
set security nat destination rule-set 1 rule 1 match destination-address 10.10.10.2/32
set security nat destination rule-set 1 rule 1 match destination-port 23
set security nat destination rule-set 1 rule 1 then destination-nat pool test
set security nat destination rule-set 2 from zone untrust
set security nat destination rule-set 2 rule 2 match destination-address 1.1.1.2/32
set security nat destination rule-set 2 rule 2 match destination-port 8080
set security nat destination rule-set 2 rule 2 then destination-nat pool test_web
實驗驗證:
1.測試聯通線路NAT端口。實驗環境就用telnet的23號端口做測試。從2.2.2.2上telnet 10.10.10.2 23端口登錄到了server:
查看10.10.10.2上的NAT HIT:
nat裝換成功。
查看10.10.10.2上的會話:
2.測試電信線路8080端口,用web代替。遠端pc瀏覽器輸入1.1.1.2端口8080跳轉到了server的web管理界面:
正常的業務流量就通過電線的ip出去:
老司機們經常會提到一個問題,就是xx環境不太好,考慮到實際情況下運營商物理線路很少會出問題,後續針對500和433端口會做一些SRX上面的rpm實驗,進而更加優化主備***和地址映射等相關功能。