cjh 华为路由器NE8000:配置企业网出接口NAT的负载分担场景示例
华为路由器NE8000:配置企业网出接口NAT的负载分担场景示例
本例介绍了如何在NAT-Device上配置双出口,实现外网用户通过不同的接口访问不同的内部服务器地址,并且内网用户访问Internet的数据流使用负载分担方式。
组网需求
本示例以NetEngine 8000 M14产品为例。
如图1所示,NAT-Device作为企业出口网关,通过接口Interface2和接口Interface3实现双上行。同时,通过配置NAT实现私网地址到公网地址的转换。企业希望对外网用户提供WEB服务器和FTP服务器的访问功能。WEB服务器配置了两个IP地址:192.168.4.1/16和192.168.5.1/16;FTP服务器配置了两个IP地址:192.168.2.1/16和192.168.3.1/16。
各接口IP地址如图1所示,通过配置要达到以下要求:
(1)外网用户可以访问公司内部的WEB服务器和FTP服务器。
(2)内网用户和内部服务器之间可以直接互访,不需要进行NAT转换。
(3)企业网内部发往Internet网络的数据流根据源IP进行负载分担。
图1 配置场景组网图
本例中的interface1、interface2和interface3分别代表GE0/2/0、GE0/2/1、GE0/2/2。
配置思路
(1)配置负载分担功能。
(2)配置NAT基本功能。
(3)配置NAT内部服务器映射关系。
(4)使能WEB协议和FTP协议的NAT ALG功能。
(5)配置NAT引流策略。
(6)应用NAT引流策略。
(7)配置默认路由。
数据准备
(1)NAT实例的名称nat1和索引号1,名称nat2和索引号2。
(2)实例nat1和实例nat2下的地址池名称address-group1、地址池编号1。
(3)NAT实例nat1下的ftp服务器的私网IP地址192.168.2.1,web服务器的私网地址192.168.4.1;NAT实例nat2下的ftp服务器的私网IP地址192.168.3.1,web服务器的私网地址192.168.5.1。
(4)接口号GE0/2/0以及接口下的IP地址192.168.0.1/16,接口号GE0/2/1以及接口下的IP地址10.11.1.1/24,接口号GE0/2/2以及接口下的IP地址10.11.2.1/24。
(5)ACL的名称3000至3005。
(6)在接口GE0/2/0下应用NAT引流策略;在接口GE0/2/1下绑定ACL 3000和NAT实例nat1;在接口GE0/2/2下绑定ACL 3000和NAT实例nat1。
操作步骤
(1)配置NAT基本功能。
配置所有槽位入方向的IP报文选择源IP为哈希因子进行负载分担。
<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] load-balance hash-key ip source-ip slot all
[*NAT-Device] commit
创建NAT实例nat1和nat2。
[~NAT-Device] service-location 1
[*NAT-Device-service-location-1] location follow-forwarding-mode
[*NAT-Device-service-location-1] commit
[~NAT-Device-service-location-1] quit
[~NAT-Device] service-instance-group group1
[*NAT-Device-service-instance-group-group1] service-location 1
[*NAT-Device-service-instance-group-group1] commit
[~NAT-Device-service-instance-group-group1] quit
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] service-instance-group group1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] service-instance-group group1
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
配置NAT功能需要做NAT的流量引入到业务板,执行该命令用于解决出接口的引流问题。
对于命中ACL Deny规则的流量:
(1)当配置参数mode deny-forward时,表示对其做透传处理;
(2)没有配置参数mode deny-forward时,表示对其做丢弃处理。
配置接口地址。
[~NAT-Device] interface gigabitEthernet 0/2/0
[~NAT-Device-GigabitEthernet0/2/1] ip address 192.168.0.1 16
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/1
[~NAT-Device-GigabitEthernet0/2/1] ip address 10.11.1.1 24
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/2
[~NAT-Device-GigabitEthernet0/2/2] ip address 10.11.2.1 24
[*NAT-Device-GigabitEthernet0/2/2] commit
[~NAT-Device-GigabitEthernet0/2/2] quit
配置NAT地址池。
[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/2
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
(2)配置NAT内部服务器映射关系。
[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 ftp inside 192.168.2.1 ftp
[~NAT-Device-nat-instance-nat1] nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 www inside 192.168.4.1 www
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 ftp inside 192.168.3.1 ftp
[~NAT-Device-nat-instance-nat2] nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 www inside 192.168.5.1 www
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
(3)配置NAT ALG功能。在NAT实例下使能FTP/DNS协议的NAT ALG功能:进入NAT实例的流量,会对使能的应用协议作ALG处理。配置DNS Mapping功能:NAT实例下配置DNS域名的公私网地址映射转换功能,将DNS的解析结果转换成内网服务器地址。
[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] nat alg ftp
[*NAT-Device-nat-instance-nat1] nat alg dns
[*NAT-Device-nat-instance-nat1] nat dns-mapping domain www.huawei.com global-address 10.11.1.1 inside-address 192.168.4.1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2
[~NAT-Device-nat-instance-nat2] nat alg ftp
[*NAT-Device-nat-instance-nat2] nat alg dns
[*NAT-Device-nat-instance-nat2] nat dns-mapping domain www.huawei.com global-address 10.11.2.1 inside-address 192.168.5.1
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
(4)配置重定向功能:在NAT实例视图下,配置上行方向重定向到下一跳的IP地址。
[~NAT-Device] nat instance nat1
[~NAT-Device-nat-instance-nat1] redirect ip-nexthop 10.11.1.2 outbound
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2
[~NAT-Device-nat-instance-nat2] redirect ip-nexthop 10.11.2.2 outbound
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
(5)配置NAT引流策略。
配置ACL规则,ACL编号3000,允许企业网内的主机访问Internet网络。
[~NAT-Device] acl 3000
[*NAT-Device-acl4-advance-3000] rule 1 permit ip
[*NAT-Device-acl4-advance-3000] commit
[~NAT-Device-acl4-advance-3000] quit
配置ACL规则,ACL编号3001,允许企业网用户之间互访。
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip source 192.168.0.0 0.0.255.255
[*NAT-Device-acl4-advance-3001] commit
[~NAT-Device-acl4-advance-3001] rule 1 permit ip destination 2.1.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3001] commit
[~NAT-Device-acl4-advance-3001] quit
配置ACL规则,ACL编号3002,允许地址为192.168.2.1/32的企业网用户访问Internet网络。
[~NAT-Device] acl 3002
[*NAT-Device-acl4-advance-3002] rule 1 permit ip source 192.168.2.1 0.0.0.0
[*NAT-Device-acl4-advance-3002] commit
[~NAT-Device-acl4-advance-3002] rule 1 permit ip destination 2.1.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3002] commit
[~NAT-Device-acl4-advance-3002] quit
配置ACL规则,ACL编号3003,允许地址为192.168.3.1/32的企业网用户访问Internet网络。
[~NAT-Device] acl 3003
[*NAT-Device-acl4-advance-3003] rule 1 permit ip source 192.168.3.1 0.0.0.0
[*NAT-Device-acl4-advance-3003] commit
[~NAT-Device-acl4-advance-3003] rule 1 permit ip destination 2.1.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3003] commit
[~NAT-Device-acl4-advance-3003] quit
配置ACL规则,ACL编号3004,允许地址为192.168.4.1/32的企业网用户访问Internet网络。
[~NAT-Device] acl 3004
[*NAT-Device-acl4-advance-3004] rule 1 permit ip source 192.168.4.1 0.0.0.0
[*NAT-Device-acl4-advance-3004] commit
[~NAT-Device-acl4-advance-3004] rule 1 permit ip destination 2.1.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3004] commit
[~NAT-Device-acl4-advance-3004] quit
配置ACL规则,ACL编号3005,允许地址为192.168.5.1/32的企业网用户访问Internet网络。
[~NAT-Device] acl 3005
[*NAT-Device-acl4-advance-3005] rule 1 permit ip source 192.168.5.1 0.0.0.0
[*NAT-Device-acl4-advance-3005] commit
[~NAT-Device-acl4-advance-3005] rule 1 permit ip destination 2.1.1.0 0.0.0.255
[*NAT-Device-acl4-advance-3005] commit
[~NAT-Device-acl4-advance-3005] quit
定义需要重定向的数据流分类。
[~NAT-Device] traffic classifier redirectover1 operator or
[*NAT-Device-classifier-redirectover1] if-match acl 3001
[*NAT-Device-classifier-redirectover1] commit
[~NAT-Device-classifier-redirectover1] quit
[~NAT-Device] traffic classifier redirectover2 operator or
[*NAT-Device-classifier-redirectover2] if-match acl 3002
[*NAT-Device-classifier-redirectover2] commit
[~NAT-Device-classifier-redirectover2] quit
[~NAT-Device] traffic classifier redirectover3 operator or
[*NAT-Device-classifier-redirectover3] if-match acl 3003
[*NAT-Device-classifier-redirectover3] commit
[~NAT-Device-classifier-redirectover3] quit
[~NAT-Device] traffic classifier redirectover4 operator or
[*NAT-Device-classifier-redirectover4] if-match acl 3004
[*NAT-Device-classifier-redirectover4] commit
[~NAT-Device-classifier-redirectover4] quit
[~NAT-Device] traffic classifier redirectover5 operator or
[*NAT-Device-classifier-redirectover5] if-match acl 3005
[*NAT-Device-classifier-redirectover5] commit
[~NAT-Device-classifier-redirectover5] quit
定义需要重定向的数据的流行为。在流行为redirectover2中配置重定向的下一跳IP地址为10.11.1.2;在流行为redirectover3中配置重定向的下一跳IP地址为10.11.2.2。
[~NAT-Device] traffic behavior redirectover1
[*NAT-Device-behavior-redirectover1] commit
[~NAT-Device-behavior-redirectover1] quit
[~NAT-Device] traffic behavior redirectover2
[*NAT-Device-behavior-redirectover2] redirect ip-nexthop 10.11.1.2
[*NAT-Device-behavior-redirectover2] commit
[~NAT-Device-behavior-redirectover2] quit
[~NAT-Device] traffic behavior redirectover3
[*NAT-Device-behavior-redirectover3] redirect ip-nexthop 10.11.2.2
[*NAT-Device-behavior-redirectover3] commit
[~NAT-Device-behavior-redirectover3] quit
绑定流策略。
同网段192.168.0.0/16的企业网用户之间不通过NAT转换即可直接互访,数据流的precedence为1,优先级高。
源地址为192.168.2.1/32的数据流的出接口为Interface2,precedence为2。
源地址为192.168.3.1/32的数据流的出接口为Interface3,precedence为3。
源地址为192.168.4.1/32的数据流的出接口为Interface2,precedence为4。
源地址为192.168.5.1/32的数据流的出接口为Interface3,precedence为5。
[~NAT-Device] traffic policy redirect
[*NAT-Device-trafficpolicy-redirect] classifier redirectover1 behavior redirectover1 precedence 1
[*NAT-Device-trafficpolicy-redirect] classifier redirectover2 behavior redirectover2 precedence 2
[*NAT-Device-trafficpolicy-redirect] classifier redirectover3 behavior redirectover3 precedence 3
[*NAT-Device-trafficpolicy-redirect] classifier redirectover4 behavior redirectover2 precedence 4
[*NAT-Device-trafficpolicy-redirect] classifier redirectover5 behavior redirectover3 precedence 5
[*NAT-Device-trafficpolicy-redirect] commit
[~NAT-Device-trafficpolicy-redirect] quit
(6)应用流策略。
[~NAT-Device] interface gigabitEthernet 0/2/0
[*NAT-Device-GigabitEthernet0/2/0] traffic-policy redirect inbound
[*NAT-Device-GigabitEthernet0/2/0] commit
[~NAT-Device-GigabitEthernet0/2/0] quit
[~NAT-Device] interface gigabitEthernet 0/2/1
[*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3000 instance nat1
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
[~NAT-Device] interface gigabitEthernet 0/2/2
[*NAT-Device-GigabitEthernet0/2/2] nat bind acl 3000 instance nat2
[*NAT-Device-GigabitEthernet0/2/2] commit
[~NAT-Device-GigabitEthernet0/2/2] quit
(7)配置默认路由。
[~NAT-Device] ip route-static 0.0.0.0 0.0.0.0 10.11.1.2
[*NAT-Device] ip route-static 0.0.0.0 0.0.0.0 10.11.2.2
[*NAT-Device] commit
配置文件
# sysname NAT-Device # load-balance hash-key ip source-ip slot all #service-location 1 location follow-forwarding-mode # service-instance-group group1 service-location 1 #nat instance nat1 id 1 service-instance-group group1 nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/1 nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 ftp inside 192.168.2.1 ftp nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/1 www inside 192.168.4.1 www nat alg ftp nat alg dns redirect ip-nexthop 10.11.1.2 outbound nat dns-mapping domain www.huawei.com global-address 10.11.1.1 inside-address 192.168.4.1 # nat instance nat2 id 2 service-instance-group group1 nat address-group address-group1 group-id 1 unnumbered interface GigabitEthernet 0/2/2 nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 ftp inside 192.168.3.1 ftp nat server protocol tcp global unnumbered interface GigabitEthernet 0/2/2 www inside 192.168.5.1 www nat alg ftp nat alg dns redirect ip-nexthop 10.11.2.2 outbound nat dns-mapping domain www.huawei.com global-address 10.11.2.1 inside-address 192.168.5.1 # acl number 3000 rule 1 permit ip # acl number 3001 rule 1 permit ip source 192.168.0.0 0.0.255.255 rule 1 permit ip destination 2.1.1.0 0.0.0.255 # acl number 3002 rule 1 permit ip source 192.168.2.1 0.0.0.0 rule 1 permit ip destination 2.1.1.0 0.0.0.255 # acl number 3003 rule 1 permit ip source 192.168.3.1 0.0.0.0 rule 1 permit ip destination 2.1.1.0 0.0.0.255 # acl number 3004 rule 1 permit ip source 192.168.4.1 0.0.0.0 rule 1 permit ip destination 2.1.1.0 0.0.0.255 # acl number 3005 rule 1 permit ip source 192.168.5.1 0.0.0.0 rule 1 permit ip destination 2.1.1.0 0.0.0.255 # traffic classifier redirectover1 operator or if-match acl 3001 precedence 1 # traffic classifier redirectover2 operator or if-match acl 3002 precedence 1 # traffic classifier redirectover3 operator or if-match acl 3003 precedence 1 # traffic classifier redirectover4 operator or if-match acl 3004 precedence 1 # traffic classifier redirectover5 operator or if-match acl 3005 precedence 1 # traffic behavior redirectover1 # traffic behavior redirectover2 redirect ip-nexthop 10.11.1.2 # traffic behavior redirectover3 redirect ip-nexthop 10.11.2.2 # traffic policy redirect classifier redirectover1 behavior redirectover1 precedence 1 classifier redirectover2 behavior redirectover2 precedence 2 classifier redirectover3 behavior redirectover3 precedence 3 classifier redirectover4 behavior redirectover2 precedence 4 classifier redirectover5 behavior redirectover3 precedence 5 # interface GigabitEthernet 0/2/0 undo shutdown ip address 192.168.0.1 255.255.0.0 traffic-policy redirect inbound # interface GigabitEthernet 0/2/1 undo shutdown ip address 10.11.1.1 255.255.255.0 nat bind acl 3000 instance nat1 # interface GigabitEthernet 0/2/2 undo shutdown ip address 10.11.2.1 255.255.255.0 nat bind acl 3000 instance nat2 # ip route-static 0.0.0.0 0.0.0.0 10.11.1.2 ip route-static 0.0.0.0 0.0.0.0 10.11.2.2 # return
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为路由器NE8000:配置企业网出接口NAT的负载分担场景示例
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm