Помогите с настройкой Cisco 2811 для двух ISP, c помощью SLA монитора, задача тривиальная: необходимо организовать резервный канал в оффисе - который находиться за NAT-ом этого девайса, собственно настроил но почему то неработает, в чём может быть проблемма?
Конфиг:
Current configuration : 5859 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2811
!
boot-start-marker
boot-end-marker
!
enable secret xxxxxxxx
enable password pass
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip vrf isp10
rd 65535:10
!
ip vrf isp50
rd 65535:50
!
no ip domain lookup
ip sla monitor 10
type echo protocol ipIcmpEcho 195.34.32.116 source-interface FastEthernet0/1
timeout 500
vrf isp10
frequency 5
ip sla monitor schedule 10 life forever start-time now
ip sla monitor 50
type echo protocol ipIcmpEcho 212.188.4.10 source-interface Vlan1
timeout 500
vrf isp50
frequency 5
ip sla monitor schedule 50 life forever start-time now
!
!
!
crypto pki trustpoint TP-self-signed-3261937146
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3261937146
revocation-check none
rsakeypair TP-self-signed-3261937146
!
!
crypto pki certificate chain TP-self-signed-3261937146
certificate self-signed 01 !
!
track 10 rtr 10
!
track 50 rtr 50
!
!
!
!
interface Tunnel11
ip address 172.16.121.1 255.255.255.252
tunnel source Loopback11
tunnel destination 172.16.21.1
!
interface Tunnel12
ip vrf forwarding isp50
ip address 172.16.121.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source Loopback21
tunnel destination 172.16.11.1
!
interface Tunnel21
ip address 172.16.122.1 255.255.255.252
tunnel source Loopback12
tunnel destination 172.16.22.1
!
interface Tunnel22
ip vrf forwarding isp10
ip address 172.16.122.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source Loopback22
tunnel destination 172.16.12.1
!
interface Loopback11
ip address 172.16.11.1 255.255.255.255
!
interface Loopback12
ip address 172.16.12.1 255.255.255.255
!
interface Loopback21
ip address 172.16.21.1 255.255.255.255
!
interface Loopback22
ip address 172.16.22.1 255.255.255.255
!
interface FastEthernet0/0 <!!!- локальная сеть -!!!>
ip address 192.168.0.1 255.255.255.0
ip virtual-reassembly
ip policy route-map ISP50
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1 <!!!- ISP первый провайдер -!!!>
ip vrf forwarding isp10
ip address 100.100.100.119 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/2/0
no cdp enable
!
interface FastEthernet0/2/1
shutdown
no cdp enable
!
interface FastEthernet0/2/2
shutdown
no cdp enable
!
interface FastEthernet0/2/3
no cdp enable
no mop enabled
!
interface Serial0/3/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/3/1
no ip address
shutdown
clock rate 2000000
no cdp enable
!
interface Vlan1 <!!!- ISP второй провайдер -!!!>
ip vrf forwarding isp50
ip address 10.20.0.220 255.255.255.0
ip nat outside
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip virtual-reassembly
!
router rip
version 2
network 172.16.0.0
network 192.168.0.0
no auto-summary
!
address-family ipv4 vrf isp50
network 172.16.0.0
default-information originate
no auto-summary
exit-address-family
!
address-family ipv4 vrf isp10
network 172.16.0.0
default-information originate
no auto-summary
exit-address-family
!
no ip classless
ip route vrf isp10 0.0.0.0 0.0.0.0 100.100.100.113 track 10
ip route vrf isp50 0.0.0.0 0.0.0.0 10.20.0.254 track 50
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 111 interface FastEthernet0/1 vrf isp10 overload
ip nat inside source list 111 interface Vlan1 vrf isp50 overload
ip nat inside source static tcp 192.168.0.9 3389 10.20.0.220 3389 vrf isp50 exte
ndable match-in-vrf
ip nat inside source static tcp 192.168.0.10 3389 100.100.100.119 3389 vrf isp10
extendable match-in-vrf
!
access-list 2 permit 192.168.0.10
access-list 5 permit 192.168.0.9
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
snmp-server community public RO
route-map ISP50 permit 10
match ip address 5
set ip next-hop verify-availability 172.16.121.2 1 track 50
!
route-map ISP50 permit 20
match ip address 2
set ip next-hop verify-availability 172.16.122.2 2 track 10
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password pass
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
!
end
Пинги и tracert:
Tracing route to 77.105.163.53 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.0.1
2 1 ms 1 ms 1 ms 172.16.121.2
3 1 ms * 1 ms 172.16.121.2
4 172.16.121.2 reports: Destination host unreachable.
Trace complete.
Pinging 195.34.32.116 with 32 bytes of data:
Reply from 172.16.121.2: Destination host unreachable.
Reply from 172.16.121.2: Destination host unreachable.
Reply from 172.16.121.2: Destination host unreachable.
Reply from 172.16.121.2: Destination host unreachable.
Ping statistics for 195.34.32.116:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Что я сделал нетак, заранее СПАСИБО!!!