csico 2921,, два прова, Две подсети в локалке.
1 подсеть работает на основном канале при паденни переключаеться туда обратно всё норм.
Захотел на вторую подсетку завернуть резервный канал, повесил на интерфейс ip policy route-map ava вроде забегал но при подинии резервного на основной не переключается.Просторы интернета наталкивали на разные вещи но чёт без успешно.
interface GigabitEthernet0/0
description DIA
ip address 3.189.221.163 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description AVA
ip address 4.22.64.15 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2.10
description 2-set
encapsulation dot1Q 10
ip address 10.100.100.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
ip policy route-map ava
interface GigabitEthernet0/2.129
description MAIN
encapsulation dot1Q 129
ip address 192.168.0.247 255.255.255.0
ip access-group 199 in
ip flow ingress
ip flow egress
ip nat inside
ip inspect FW in
ip virtual-reassembly inroute-map tracking permit 10
set ip next-hop verify-availability 3.189.221.166 10 track 1
set ip next-hop 3.189.221.166
!
route-map tracking permit 20
set ip next-hop verify-availability 4.22.64.1 20 track 2
set ip next-hop 4.22.64.1
!
route-map dia permit 10
match ip address 101
match interface GigabitEthernet0/0
set ip next-hop 3.189.221.166
!
route-map ava permit 15
match ip address 102
match interface GigabitEthernet0/1
set ip next-hop 4.22.64.1
ip nat inside source route-map ava interface GigabitEthernet0/1 overload
ip nat inside source route-map dia interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 3.189.221.166 10 track 1
ip route 0.0.0.0 0.0.0.0 4.22.64.1 20 track 2
ip route 8.8.4.4 255.255.255.255 4.22.64.1
ip route 8.8.8.8 255.255.255.255 3.189.221.166
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
frequency 20
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
frequency 20
ip sla schedule 2 life forever start-time nowtrack 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
>[оверквотинг удален]
> icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
> frequency 20
> ip sla schedule 1 life forever start-time now
> ip sla 2
> icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
> frequency 20
> ip sla schedule 2 life forever start-time now
> track 1 ip sla 1 reachability
> !
> track 2 ip sla 2 reachabilityip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
frequency 20
ip sla schedule 1 life forever start-time nowip sla 2
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
frequency 20
ip sla schedule 2 life forever start-time nowtrack 1 ip sla 1 reachability
track 2 ip sla 2 reachabilityinterface GigabitEthernet0/0
description DIA
ip address 3.189.221.163 255.255.255.192
ip nat outsideinterface GigabitEthernet0/1
description AVA
ip address 4.22.64.15 255.255.255.0
ip nat outsideinterface GigabitEthernet0/2.10
encapsulation dot1Q 10
ip address 10.100.100.1 255.255.255.224
ip nat inside
ip policy route-map track-natinterface GigabitEthernet0/2.129
encapsulation dot1Q 129
ip address 192.168.0.247 255.255.255.0
ip nat inside
ip policy route-map track-natip route 8.8.8.8 255.255.255.255 3.189.221.166
ip route 8.8.4.4 255.255.255.255 4.22.64.1ip nat inside source route-map dia interface GigabitEthernet0/0 overload
ip nat inside source route-map ava interface GigabitEthernet0/1 overloadaccess-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 10.100.100.0 0.0.0.31route-map track-nat permit 10
match ip address 1
set ip next-hop verify-availability 3.189.221.166 10 track 1
set ip next-hop verify-availability 4.22.64.1 20 track 2route-map track-nat permit 20
match ip address 2
set ip next-hop verify-availability 4.22.64.1 10 track 2
set ip next-hop verify-availability 3.189.221.166 20 track 1route-map dia permit 10
match interface GigabitEthernet0/0route-map ava permit 10
match interface GigabitEthernet0/1event manager applet CLEAR-NAT
event syslog pattern "TRACKING-5-STATE: [12] rtr [12]"
action 1.0 cli command "enable"
action 1.5 cli command "clear ip nat translation *"
>[оверквотинг удален]
> set ip next-hop verify-availability 4.22.64.1 10 track 2
> set ip next-hop verify-availability 3.189.221.166 20 track 1
> route-map dia permit 10
> match interface GigabitEthernet0/0
> route-map ava permit 10
> match interface GigabitEthernet0/1
> event manager applet CLEAR-NAT
> event syslog pattern "TRACKING-5-STATE: [12] rtr [12]"
> action 1.0 cli command "enable"
> action 1.5 cli command "clear ip nat translation *"Спасибо,,,,
А вто может кто знает получиться нет,,,, по провадеру "ava" хотел завернуть интернет трафик с дома )))))))))))))) между физ и юр лицами нет ограничений, раньше был банальный squid,, теперь хочу просто nat сделать.
Туенли поднял,acl настройил, всё работает если добавить дефолтый маршрут на домашнюю циску. Не могу сделать одновременно чтоб с тунеля на одну подсетку раздовал, а с основного канала на другю, с основными вопросов вроде нет, а с тенельного запарка...
вот кусок конфа:interface Tunnel0
description proletarskaya-petrova
ip address 10.9.0.1 255.255.255.0
ip mtu 1436
ip virtual-reassembly in
ip tcp adjust-mss 1387
ip policy route-map pet_nat
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile prof-greвешаю роут-мапы
route-map pet_gw permit 35
match ip address 102
set ip next-hop 10.9.0.2 ( ip tun кошки на физ лице)
!
route-map pet_nat permit 25
match ip address 102
match interface Tunnel0ip nat inside source route-map pet_nat interface tun0 overload
ip route 0.0.0.0 0.0.0.0 10.9.0.2 30
И вешаяю ip policy route-map pet_gw на интерфейс LAN
Ничего не работает !!! Может с картами напутал ???