- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
60-MSR係列路由器教育網雙出口NAT服務器的典型配置舉例
本章節下載: 60-MSR係列路由器教育網雙出口NAT服務器的典型配置舉例 (143.29 KB)
MSR係列路由器雙出口NAT服務器的典型配置舉例
|
Copyright © 2014 杭州華三通信技術有限公司 版權所有,保留一切權利。 非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部, 並不得以任何形式傳播。本文檔中的信息可能變動,恕不另行通知。 |
|
目 錄
本文檔介紹使用NAT功能實現內網與外網雙出口互聯的典型配置案例。
本文檔不嚴格與具體軟、硬件版本對應,如果使用過程中與產品實際情況有差異,請參考相關產品手冊,或以設備實際情況為準。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
本文檔假設您已了解NAT網絡地址轉換特性。
如圖1所示,局域網通過MSR路由器連接ISP 1與ISP 2,現要求通過在MSR上配置NAT功能以實現:
· 局域網通過GigabitEthernet5/1訪問ISP 1,通過GigabitEthernet5/0訪問ISP 2。
· ISP 2的主機和局域網內部主機能夠直接或通過域名test.lan.cn訪問局域網服務器。
圖1 MSR係列路由器教育網雙出口NAT服務器的典型配置舉例
為了使局域網服務器能夠對內對外提供訪問,要在MSR路由器各個接口配置靜態地址轉換映射。通過配置動態地址轉換,使局域網主機能夠訪問ISP 2,ISP 1和局域網服務器,最後配置局域網服務器的策略路由,使服務器能夠訪問ISP 1。
本舉例是在Release 2311版本上進行配置和驗證的。
MSR路由器配置:
# 配置接口IP地址。
<Router> system-view
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] ip address 192.168.86.2 255.255.0.0
[Router-GigabitEthernet0/0]quit
[Router] interface gigabitethernet 5/0
[Router-GigabitEthernet5/0] port link-mode route
[Router-GigabitEthernet5/0] ip address 202.2.2.2 255.255.255.0
[Router-GigabitEthernet5/0] quit
[Router] interface gigabitethernet 5/1
[Router-GigabitEthernet5/1] port link-mode route
[Router-GigabitEthernet5/1] ip address 211.1.1.2 255.255.255.0
[Router-GigabitEthernet5/1] quit
# 配置靜態地址轉換映射。
[Router] nat static 192.168.34.55 211.1.1.4
# 使配置的靜態地址轉換在接口上生效。
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] nat outbound static
[Router-GigabitEthernet0/0] quit
[Router] interface gigabitethernet 5/0
[Router-GigabitEthernet5/0] nat outbound static
[Router-GigabitEthernet5/0] quit
[Router] interface gigabitethernet 5/1
[Router-GigabitEthernet5/1] nat outbound static
[Router-GigabitEthernet5/1] quit
# 配置局域網服務器域名test.lan.cn對應的內網IP地址為192.168.34.55/16。
[Router] ip host test.lan.cn 192.168.34.55
# 配置ISP 1地址池1,公網地址從211.1.1.50到211.1.1.100
[Router] nat address-group 1 211.1.1.50 211.1.1.100
# 創建ACL 2000,允許局域網192.168.0.0/16網段的主機訪問ISP 1和ISP 2。
[Router] acl number 2000
[Router-acl-basic-2000] rule 10 permit source 192.168.0.0 0.0.255.255
[Router-acl-basic-2000] quit
# 在接口GigabitEthernet5/1上配置ACL 2000與IP地址池1相關聯,實現NAT轉換。
[Router] interface gigabitethernet 5/1
[Router-GigabitEthernet5/1] nat outbound 2000 address-group 1
[Router-GigabitEthernet5/1] quit
# 配置ISP 2地址池2,公網地址從202.2.2.50到202.2.2.100。
[Router] nat address-group 2 202.2.2.50 202.2.2.100
# 創建ACL 2000,允許局域網192.168.0.0/16網段的主機訪問ISP 2。
[Router] acl number 2000
[Router-acl-basic-2000] rule 10 permit source 192.168.0.0 0.0.255.255
[Router-acl-basic-2000] quit
# 在接口GigabitEthernet5/0上配置ACL 2000與IP地址池2相關聯,實現NAT轉換。
[Router] interface gigabitethernet 5/0
[Router-GigabitEthernet5/0] nat outbound 2000 address-group 2
[Router-GigabitEthernet5/0] quit
# 創建ACL 3000,使內網192.168.0.0/16能夠訪問192.168.34.55/16的主機地址。
[Router] acl number 3000
[Router-acl-adv-3000] rule 10 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.34.55 0
[Router-acl-adv-3000] quit
# 在接口GigabitEthernet0/0上配置ACL 3000,實現NAT。
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] nat outbound 3000
[Router-GigabitEthernet0/0] quit
# 創建ACL 2222,允許主機地址192.168.34.55/16通過。
[Router] acl number 2222
[Router-acl-basic-2222] rule 0 permit source 192.168.34.55 0
[Router-acl-basic-2222] quit
# 配置策略aaa,匹配模式為permit,節點序列號為2,匹配ACL 2222,應用下一跳MSR接口GigabitEthernet5/1地址211.1.1.1/24。
[Router] policy-based-route aaa permit node 2
[Router-pbr-aaa-5] if-match acl 2222
[Router-pbr-aaa-5] apply ip-address next-hop 211.1.1.1
[Router-pbr-aaa-5] quit
# 創建ACL 3333,使主機地址192.168.34.55/16到目的網段192.168.0.0/16,用於策略路由拒絕節點。
[Router] acl number 3333
[Router-acl-adv-3333] rule 0 permit ip source 192.168.34.55 0 destination 192.168.0.
0 0.0.255.255
[Router-acl-adv-3333] quit
# 配置策略aaa,匹配模式為deny,節點序列號為3,匹配ACL 3333。
[Router] policy-based-route aaa deny node 3
[Router-pbr-aaa-3] if-match acl 3333
[Router-pbr-aaa-3] quit
# 在接口GigabitEthernet0/0上應用策略路由aaa。
[Router] interface gigabitethernet0/0
[Router-GigabitEthernet0/0] ip policy-based-route aaa
[Router-GigabitEthernet0/0] quit
(1) 驗證局域網內部主機是否與外界進行通信。
# 局域網內部主機Host ping服務器IP地址211.1.1.4/24,能夠ping通。
C:\Documents and Settings\Administrator> ping 211.1.1.4
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 211.1.1.4: bytes=32 time=8 ms ttl=127
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=127
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=127
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=127
Ping statistics for 211.1.1.4:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
# 局域網內部主機Host ping ISP 1的IP地址,能夠ping通。
C:\Documents and Settings\Administrator> ping 211.1.1.1
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 211.1.1.1: bytes=32 time=8 ms ttl=254
Reply from 211.1.1.1: bytes=32 time=1 ms ttl=254
Reply from 211.1.1.1: bytes=32 time=1 ms ttl=254
Reply from 211.1.1.1: bytes=32 time=1 ms ttl=254
Ping statistics for 211.1.1.1:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
# 局域網內部主機Host ping ISP 2的IP地址,能夠ping通。
C:\Documents and Settings\Administrator> ping 202.2.2.1
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 202.2.2.1: bytes=32 time=8 ms ttl=254
Reply from 202.2.2.1: bytes=32 time=1 ms ttl=254
Reply from 202.2.2.1: bytes=32 time=1 ms ttl=254
Reply from 202.2.2.1: bytes=32 time=1 ms ttl=254
Ping statistics for 202.2.2.1:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
(2) 局域網內部主機和ISP 2內部主機是否與局域網服務器通信
# 局域網內部主機Host ping 服務器域名test.lan.cn,能夠ping通。
C:\Documents and Settings\Administrator> ping test.lan.cn
Pinging 192.168.34.55 with 32 bytes of data:
Reply from 192.168.34.55: bytes=32 time=8 ms ttl=255
Reply from 192.168.34.55: bytes=32 time=1 ms ttl=255
Reply from 192.168.34.55: bytes=32 time=1 ms ttl=255
Reply from 192.168.34.55: bytes=32 time=1 ms ttl=255
Ping statistics for 192.168.34.55:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
# ISP 2內部主機ping服務器域名test.lan.cn,能夠ping通。
C:\Documents and Settings\Administrator> ping test.lan.cn
Pinging 211.1.1.4 with 32 bytes of data:
Reply from 211.1.1.4: bytes=32 time=8 ms ttl=125
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=125
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=125
Reply from 211.1.1.4: bytes=32 time=1 ms ttl=125
Ping statistics for 211.1.1.4:
Packets: Sent =4, Received = 4,Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 8ms, Average = 2ms
#
nat address-group 1 211.1.1.50 211.1.1.100
nat address-group 2 202.2.2.50 202.2.2.100
#
acl number 2000
rule 10 permit source 192.168.0.0 0.0.255.255
acl number 2222
rule 0 permit source 192.168.34.55 0
#
acl number 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.34.55 0
acl number 3333
rule 0 permit ip source 192.168.34.55 0 destination 192.168.0.0 0.0.255.255
#
policy-based-route aaa deny node 3
if-match acl 3333
policy-based-route aaa permit node 2
if-match acl 2222
apply ip-address next-hop 211.1.1.1
#
interface GigabitEthernet0/0
port link-mode route
nat outbound static
nat outbound 3000
ip address 192.168.86.2 255.255.0.0
ip policy-based-route aaa
#
interface GigabitEthernet5/0
port link-mode route
nat outbound 2000 address-group 2
nat outbound static
ip address 202.2.2.2 255.255.255.0
tcp mss 1420
#
interface GigabitEthernet5/1
port link-mode route
nat outbound static
nat outbound 2000 address-group 1
ip address 211.1.1.2 255.255.255.0
tcp mss 1420
#
ip route-static 0.0.0.0 0.0.0.0 202.2.2.1
#
nat static 192.168.34.55 211.1.1.4
#
· H3C MSR 係列路由器 命令參考(V5)-R2311
· H3C MSR 係列路由器 配置指導(V5)-R2311
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
