使用两个网关做冗余(VRRP)

网络示意图-在两个网关中运用-

本结构中,RTX系列都具有VRRP功能,使用此功能实现WAN线路冗余化。
本设置为:PC的Group1将vrrp组1的地址(192.168.0.1)设为默认网关,Group2将vrrp组2的地址(192.168.0.2)设为默认网关,当路由器或者WAN线路发生故障时,自动备份其中一方的路由器。

注:PC的IP地址及网关需要手动设置,不能使用DHCP功能。

RTX(1)的设置范例

能够只导出下述的设置部分。

ConfigDownload

网关的设置 ip route default gateway (ISP1提供的网关地址)
LAN的
接口和
VRRP的 设置
(使用LAN1端口)
ip lan1 address 192.168.0.11/24
ip lan1 vrrp 1 192.168.0.1 priority=200
ip lan1 vrrp shutdown trigger 1 lan2
ip lan1 vrrp 2 192.168.0.2 priority=100
WAN(ISP1)的
接口的设置
(使用LAN2端口)
ip lan2 address (ISP1提供的IP地址)
ip lan2 nat descriptor 1
ip lan2 intrusion detection in on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (ISP1提供的IP地址)
DNS的设置 dns server (ISP1所指定的DNS服务器的地址)
dns private address spoof on
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.0.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1660 reject-nolog * lan2 * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1730 static-pass-nolog * lan2 * * 104
ip policy filter 1900 pass-nolog * lan2 * * *
ip policy filter 1950 reject-nolog lan2 * * * *
ip policy filter 1960 static-pass-nolog * local * * 104
ip policy filter 1970 pass-log * lan1 * * 101
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1900 1130] 1950 [1970 1960] 1600 [1640 1650 1660 1630] 1700 [1710 1730] 2000
ip policy filter set enable 101

RTX(2)的设置范例

网关的设置 ip route default gateway pp 1
LAN的
接口和
VRRP的设置
(使用LAN1端口)
ip lan1 address 192.168.0.12/24
ip lan1 vrrp 1 192.168.0.1 priority=100
ip lan1 vrrp 2 192.168.0.2 priority=200
ip lan1 vrrp shutdown trigger 2 pp 1
WAN(ISP2)的
接口的设置
(使用LAN2端口)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP2的ID) (连接ISP2的密码)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
ip pp intrusion detection in on
pp enable 1
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
NAT的设置 nat descriptor type 1 masquerade
DNS的设置 dns server pp 1
dns private address spoof on
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services" #注释6
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.0.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101

返回顶部