校园网双出口配置实例

 

 

 

【实验需求】

R2上有两个私有的网段：192.168.1.0  网关为192.168.1.254   \192.168.2.0  网关为192.168.2.254     ,R1作为校园网的出口，在入的方法作ip policy-based-route,不同的

 

网段走不同的下一跳，在实际应用中，一个网段去公网，一个网段去教育网，这是常用的环境。在另两个出口作NAT出公网。

 

【实验组网图和软件】

 

 

 

本文实验采用的交换机是H3C模拟器，下载地址如下： http://forum.h3c.com/forum.php? mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6% 8B%9F%E5%99%A8 有兴趣的

 

朋 友可以在论坛上去下载,里面有非常详细的使用说明以及自定义拓扑的方法。

 

【配置信息】

 

R1：

 

 nat address-group 1 202.202.100.1 202.202.100.1

 nat address-group 2 202.202.200.1 202.202.200.1

#

 domain default enable system

#

vlan 1

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

acl number 2001

 rule 0 permit source 192.168.1.254 0

 rule 5 deny

acl number 2002

 rule 0 permit source 192.168.2.254 0

#

acl number 3000

 rule 0 permit ip source 192.168.1.254 0

#

interface Serial0/6/0

 link-protocol ppp

 ip address 172.16.1.2 255.255.255.0

 ip policy-based-route celv

#

interface Serial0/6/1

 link-protocol ppp

 nat outbound 2002 address-group 2

 ip address 202.202.200.1 255.255.255.0

#

interface Serial0/6/2

 link-protocol ppp

#

interface Serial0/6/3

 link-protocol ppp

 nat outbound 2001 address-group 1

 ip address 202.202.100.1 255.255.255.0

#

interface NULL0

#

policy-based-route celv permit node 10

   if-match acl 3000

   apply ip-address next-hop 202.202.200.2

policy-based-route celv permit node 20

   apply ip-address next-hop 202.202.100.2

#

 ip route-static 0.0.0.0 0.0.0.0 172.16.1.1

 

 

R2:

self-service-url disable

#

interface Serial0/6/0

 link-protocol ppp

 ip address 172.16.1.1 255.255.255.252

#

 

#

interface NULL0

#

interface LoopBack0

 ip address 192.168.1.254 255.255.255.255

#

interface LoopBack1

 ip address 192.168.2.254 255.255.255.255

#

 

 ip route-static 0.0.0.0 0.0.0.0 172.16.1.2

#               

 

R3:

 

 

interface Serial0/6/1

 link-protocol ppp

 ip address 202.202.200.2 255.255.255.0

#

interface Serial0/6/2

 link-protocol ppp

#

interface Serial0/6/3

 link-protocol ppp

#

interface NULL0

 

#

 ip route-static 0.0.0.0 0.0.0.0 202.202.200.1

#

 

R5:

 

interface Serial0/6/3

 link-protocol ppp

 ip address 202.202.100.2 255.255.255.0

#

interface NULL0

#

 ip route-static 0.0.0.0 0.0.0.0 202.202.100.1

#

【验证】

1、用R2上的两个私有网段分别ping 公网地址，在R1上看NAT是否配置成功

 

ping -a 192.168.2.254 202.202.200.2

  PING 202.202.200.2: 56  data bytes, press CTRL_C to break

    Reply from 202.202.200.2: bytes=56 Sequence=1 ttl=254 time=20 ms

    Reply from 202.202.200.2: bytes=56 Sequence=2 ttl=254 time=10 ms

    Reply from 202.202.200.2: bytes=56 Sequence=3 ttl=254 time=10 ms

    Reply from 202.202.200.2: bytes=56 Sequence=4 ttl=254 time=20 ms

    Reply from 202.202.200.2: bytes=56 Sequence=5 ttl=254 time=26 ms

 

  --- 202.202.200.2 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 10/17/26 ms

 

 

 

ping -a 192.168.1.254 202.202.100.2

  PING 202.202.100.2: 56  data bytes, press CTRL_C to break

    Reply from 202.202.100.2: bytes=56 Sequence=1 ttl=254 time=30 ms

    Request time out

    Reply from 202.202.100.2: bytes=56 Sequence=3 ttl=254 time=10 ms

    Reply from 202.202.100.2: bytes=56 Sequence=4 ttl=254 time=20 ms

    Reply from 202.202.100.2: bytes=56 Sequence=5 ttl=254 time=4 ms

 

  --- 202.202.100.2 ping statistics ---

    5 packet(s) transmitted

    4 packet(s) received

    20.00% packet loss

    round-trip min/avg/max = 4/16/30 ms

 

 

 

 

dis nat session

 

There are currently 1 NAT session:

 

Protocol      GlobalAddr  Port      InsideAddr  Port        DestAddr  Port

       1   202.202.200.1 12288   192.168.2.254  2560   202.202.200.2  2560

 ×××:  0,        status:    11,        TTL: 00:01:00,       Left: 00:00:31

 

dis nat se

dis nat server

dis nat session

 

There are currently 1 NAT session:

 

Protocol      GlobalAddr  Port      InsideAddr  Port        DestAddr  Port

       1   202.202.100.1 12288   192.168.1.254  3072   202.202.100.2  3072

 ×××:  0,        status:    11,        TTL: 00:01:00,       Left: 00:00:54

 

如上，看到了nat session

 

 

 

 

2、在R2上分别用两个网段ping外网，在R1查看debugging信息

 

 

 

ping -a 192.168.2.254 202.202.200.2

  PING 202.202.200.2: 56  data bytes, press CTRL_C to break

    Reply from 202.202.200.2: bytes=56 Sequence=1 ttl=254 time=20 ms

    Reply from 202.202.200.2: bytes=56 Sequence=2 ttl=254 time=10 ms

    Reply from 202.202.200.2: bytes=56 Sequence=3 ttl=254 time=10 ms

    Request time out

    Reply from 202.202.200.2: bytes=56 Sequence=5 ttl=254 time=10 ms

 

  --- 202.202.200.2 ping statistics ---

    5 packet(s) transmitted

    4 packet(s) received

    20.00% packet loss

    round-trip min/avg/max = 10/12/20 ms

 

ping -a 192.168.1.254 202.202.100.2

  PING 202.202.100.2: 56  data bytes, press CTRL_C to break

    Reply from 202.202.100.2: bytes=56 Sequence=1 ttl=254 time=14 ms

    Request time out

    Reply from 202.202.100.2: bytes=56 Sequence=3 ttl=254 time=20 ms

    Reply from 202.202.100.2: bytes=56 Sequence=4 ttl=254 time=15 ms

    Request time out

 

  --- 202.202.100.2 ping statistics ---

    5 packet(s) transmitted

    3 packet(s) received

    40.00% packet loss

    round-trip min/avg/max = 14/16/20 ms

 

R1上用如下方法查看debugging信息

t d

% Current terminal debugging is on

 

t m 

% Current terminal monitor is on

 

deb

debugging ip p

debugging ip packet

debugging ip policy-based-route

 

[R1]

[R1]

*Mar 10 13:31:06:547 2013 R1 PBR/7/POLICY-ROUTING:IP policy based routing success : POLICY_ROUTEMAP : celv, Node : 20, next-hop : 202.202.100.2

[R1]

[R1]

[R1]

*Mar 10 13:31:14:813 2013 R1 PBR/7/POLICY-ROUTING:IP policy based routing success : POLICY_ROUTEMAP : celv, Node : 10, next-hop : 202.202.200.2

以上debugging 可见已经匹配了两个结点，下一跳指向了不同的IP。实验完成！

 

转载于:https://blog.51cto.com/hciewd/1151030