已解决: Re:设置到蜂窝网和广域网的路由

Translator · ‎04-07-2022

大家好！

我尝试设置对IR829路由器上的两个VLAN的互联网访问。我希望VLAN10流量通过蜂窝网接口，VLAN20流量通过WAN(GigabitEthernet 0)接口。我已尝试设置NAT和PBR，但仍无法使VLAN20访问Internet（我可以通过Cellular 0访问VLAN10上的Internet）

任何帮助都会非常感谢！

干杯

我试过调试ip策略，我看到的是，

*Apr 6 01:05:07.650: IP: s=172.16.6.3 (Vlan20), d=8.8.8.8 (GigabitEthernet0), len 62, policy routed
*Apr 6 01:05:07.650: IP: Vlan20 to GigabitEthernet0 14.192.221.164
*Apr 6 01:05:07.762: IP: s=172.16.6.3 (Vlan20), d=31.13.70.3, len 60, FIB policy match
*Apr 6 01:05:07.762: IP: s=172.16.6.3 (Vlan20), d=31.13.70.3, len 60, PBR Counted
*Apr 6 01:05:07.762: IP: s=172.16.6.3 (Vlan20), d=31.13.70.3, len 60, policy match
*Apr 6 01:05:07.762: IP: route map PBR_WAN, item 10, permit
*Apr 6 01:05:07.762: IP: s=172.16.6.3 (Vlan20), d=31.13.70.3 (GigabitEthernet0), len 60, policy routed
*Apr 6 01:05:07.762: IP: Vlan20 to GigabitEthernet0 14.192.221.164
*Apr 6 01:05:07.764: IP: s=172.16.6.3 (Vlan20), d=8.8.8.8, len 68, FIB policy match
*Apr 6 01:05:07.764: IP: s=172.16.6.3 (Vlan20), d=8.8.8.8, len 68, PBR Counted
*Apr 6 01:05:07.764: IP: s=172.16.6.3 (Vlan20), d=8.8.8.8, len 68, policy match
*Apr 6 01:05:07.764: IP: route map PBR_WAN, item 10, permit

这是我的当前配置。

IR829#sh run
Building configuration...

Current configuration : 4290 bytes
!
! Last configuration change at 02:18:48 UTC Wed Apr 6 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service unsupported-transceiver
!
hostname IR829
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxx
enable password 7 xxxx
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
ignition off-timer 900
!
ignition undervoltage threshold 11 000
!
no ignition enable
!
!
ip dhcp excluded-address 172.16.5.1
!
ip dhcp pool ENG
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 8.8.8.8
!
!
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
chat-script INTERNET "" "ATDT*99#" TIMEOUT 30 CONNECT
!
!
license udi pid xxxx
!
redundancy

!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
lte sim fast-switchover enable
no lte gps enable
lte modem link-recovery disable
!
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet1
switchport access vlan 10
switchport mode access
no ip address
!
interface GigabitEthernet2
switchport access vlan 10
switchport mode access
no ip address
!
interface GigabitEthernet3
switchport access vlan 10
switchport mode access
no ip address
!
interface GigabitEthernet4
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface Wlan-GigabitEthernet0
switchport access vlan 20
switchport mode access
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
description -hologram interface-
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 60
dialer in-band
dialer idle-timeout 300
dialer string lte
dialer-group 1
ipv6 address autoconfig
async mode interactive
routing dynamic
!
interface Cellular1
no ip address
encapsulation slip
shutdown
!
interface wlan-ap0
ip address 1.1.1.1 255.255.255.255
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan10
ip address 172.16.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.6.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR_WAN
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!
interface Dialer1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT_CELL interface Cellular0 overload
ip nat inside source route-map NAT_WAN interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-list extended LIST_CELL
permit ip 172.16.5.0 0.0.0.255 any
ip access-list extended LIST_WAN
permit ip 172.16.6.0 0.0.0.255 any
ip access-list extended LIST_WAN_ALL
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
route-map NAT_CELL permit 10
match ip address LIST_CELL
match interface Cellular0
!
route-map PBR_WAN permit 10
match ip address LIST_WAN
set ip next-hop dynamic dhcp
set interface GigabitEthernet0
!
route-map NAT_WAN permit 10
match ip address LIST_WAN
match interface GigabitEthernet0
!
!
!
control-plane
!
!
!
line con 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
modem InOut
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 150000000
txspeed 50000000
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 150000000
txspeed 50000000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
password 7 045802150C2E1D1C5A
login
transport input none
!
no scheduler max-task-time
no iox hdm-enable
iox client enable interface GigabitEthernet5
no iox recovery-enable
!
!
end

Translator · ‎04-07-2022

Hello,

很高兴知道它工作正常，但我也不真正理解原因，因为添加管理距离为250的静态路由只意味着该路由仅在主路由关闭时才进入路由表……

不管怎样，警告

%Warning:Use P2P interface for routemap setinterface clause

只是警告而已。当您配置静态路由时，将以太网接口作为下一跳，而不是IP地址作为下一跳时，会收到类似警告。该警告基本上只是告诉您您正在“浪费”资源，因为接口必须对另一端的IP地址进行arp。

在原帖中查看解决方案

Translator · ‎04-07-2022

hello

修改PBR语句，再次测试

route-map PBR_WAN permit 10
match ip address LIST_WAN
set ip next-hop dynamic dhcp





or

route-map PBR_WAN permit 10
match ip address LIST_WAN
set interface GigabitEthernet0.

Translator · ‎04-07-2022

Hello,

从debug输出判断，PBR似乎确实在工作。尝试并简化NAT，如下所示：

--> ip nat inside source list 1 interface Cellular0 overload
--> ip nat inside source list 2 interface GigabitEthernet0 overload
!
--> access-list 1 permit 172.16.5.0 0.0.0.255
--> access-list 2 permit 172.16.6.0 0.0.0.255

Translator · ‎04-07-2022

嗨，格奥尔格！

首先，我得说，我得到这么多，多亏了你在这里的其他回复！不能谢谢你

我昨天设置了另一条ip路由，

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp 250

我不知道为什么能行。如果你能透露一些情况，那就太好了。

我担心的另一件事是，当我设置以下配置时，我会收到警告，

%Warning:Use P2P interface for routemap setinterface clause

这有什么好担心的吗？最好的方法是什么？

route-map NAT_WAN permit 10
  match ip address LIST_WAN
  set ip next-hop dynamic dhcp
  set interface gigabitEthernet0

%Warning:Use P2P interface for routemap setinterface clause

再次感谢！

纳代什

Translator · ‎04-07-2022

Hello,

很高兴知道它工作正常，但我也不真正理解原因，因为添加管理距离为250的静态路由只意味着该路由仅在主路由关闭时才进入路由表……

不管怎样，警告

%Warning:Use P2P interface for routemap setinterface clause

只是警告而已。当您配置静态路由时，将以太网接口作为下一跳，而不是IP地址作为下一跳时，会收到类似警告。该警告基本上只是告诉您您正在“浪费”资源，因为接口必须对另一端的IP地址进行arp。

Translator · ‎04-07-2022

太棒了！我很高兴它也起作用了。谢谢你的帮助！