使用两根互联网线路,希望实现高速连接环境

希望灵活运用两个线路,额外使用带宽超过100Mbit/s

公司内有两个小组,分别提供最大100Mbit/s的光纤线路方式的互联网连接环境。万一,一方的互联网连接线路发生故障时,能够通过另一方的互联网连接线路进行备份。

简称

GbE:千兆以太网。能够以最大1Gbit/s的速度进行通信的LAN规格。
FE:快速以太网。能够以最大100Mbit/s的速度进行通信的LAN规格。

■同时使用两个100Mbit/s光纤线路&互相备份

容纳两根光纤线路中GbE的必要性

RTX1100中也能够使用同样的结构,但是,由于LAN1端口是快速以太网(FE),因此流动共计200Mbit/s的数据时,只能流动100Mbit/s。而RTX1200中,LAN1端口已经变为千兆以太网(GbE),因此能够获得两个光纤线路的足够的速度。

RTX系列的设置例

能够只导出下述的设置部分。

ConfigDownload

网关的设置 ip filter 1001 pass-log 192.168.100.1-192.168.100.127 * * * *
ip filter 1002 pass-log 192.168.100.128-192.168.100.254 * * *
ip forward filter 100 1 gateway (ISP1提供的网关地址) filter 1001 keepalive 1
ip forward filter 100 2 gateway pp 2 filter 1002 keepalive 2
ip forward filter 100 3 gateway pp 2 filter 1001
ip forward filter 100 4 gateway (ISP1提供的网关地址) filter 1002
ip lan1 forward filter 100
LAN接口
的设置
(使用LAN1端口)
ip lan1 address 192.168.100.1/24
WAN(ISP1)的
接口设置
(使用LAN2端口)
ip lan2 address (ISP1提供的IP地址)
ip lan2 nat descriptor 1
ip route (判断连接是否正常的IP地址A) gateway (ISP1提供的网关地址) #注释1
ip keepalive 1 icmp-echo 3 3 (判断连接是否正常的IP地址A)
ip lan2 intrusion detection in on
WAN(ISP2)的
接口设置
(使用LAN3端口)
pp select 2
pp always-on on
pppoe use lan3
pp auth accept pap chap
pp auth myname (连接ISP2的ID) (连接ISP2的密码)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp intrusion detection in on
ip pp nat descriptor 2
pp enable 2
ip route (判断连接是否正常的IP地址B) gateway pp 2 #注释2
ip keepalive 2 icmp-echo 3 3 (判断连接是否正常的IP地址B)

NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor type 2 masquerade
DHCP的设置 dhcp service server
dhcp scope 1 192.168.100.2-192.168.100.254/24
dhcp server rfc2131 compliant except remain-silent
DNS的设置 dns server (ISP1所指定的DNS服务器的IP地址)
dns server pp 2
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.100.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp select 2
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 2
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.100.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.100.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp2 * * *
ip policy filter 2200 reject-nolog pp* * * * *
ip policy filter 2220 pass-log * lan1 * * 101
ip policy filter 2230 static-pass-nolog * local * * 104
ip policy filter 2300 reject-nolog tunnel* * * * *
ip policy filter 2330 pass-nolog * tunnel* * * *
ip policy filter 2340 pass-nolog * local * * *
ip policy filter 2350 pass-nolog * lan1 * * *
ip policy filter 2360 reject-nolog * lan2 * * *
ip policy filter 2380 reject-nolog * pp* * * *
ip policy filter 2400 pass-nolog local * * * *
ip policy filter 2410 static-pass-nolog * lan1 * * *
ip policy filter 2430 static-pass-nolog * lan2 * * 104
ip policy filter 2450 static-pass-nolog * pp* * * 104
ip policy filter 2600 pass-nolog * lan2 * * *
ip policy filter 2650 reject-nolog lan2 * * * *
ip policy filter 2660 static-pass-nolog * local * * 104
ip policy filter 2670 pass-log * lan1 * * 101
ip policy filter 3000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 2600 1140 1130] 2200 [2220 2230] 2650 [2670 2660] 2300 [2340 2350 2380 2360 2330] 2400 [2410 2450 2430] 3000
ip policy filter set enable 101

[注释的说明]

注释1:用于判断连接是否正常的IP地址A,可以是任意的global IP地址,推荐使用ISP1提供的DNS服务器地址。

注释2:用于判断连接是否正常的IP地址B,可以是不同于判断连接是否正常的IP地址A的任意的global IP地址,推荐使用ISP2提供的DNS服务器地址。

返回顶部