华为路由器NE8000:配置学校双上行NAT和NAT内部服务器综合示例
华为路由器NE8000:配置学校双上行NAT和NAT内部服务器综合示例
配置思路
(1)配置NAT基本功能。
(2)配置NAT内部服务器。
(3)配置重定向功能。
(4)配置NAT引流策略。
(5)应用NAT引流策略。
数据准备
(1)NAT实例的名称nat1和索引号1、名称nat2和索引2,分别配置公网地址池。
(2)NAT-Device的NAT转换地址池名称address-group1、地址池编号1,地址池名称address-group2、地址池编号2。
(3)ACL的名称3001、3002、3003、3004、3005。
(4)应用NAT引流策略的接口号分别为GE0/2/0、GE0/2/2、GE0/2/1,IP地址分别为192.168.1.1/24、2.1.1.1/24、1.1.1.1/24
(5)校园网内部服务器的私网IP地址192.168.4.1,转换后的公网地址2.1.1.3。
操作步骤
(1)配置NAT基本功能。
创建NAT实例nat1、nat2。
<HUAWEI> system-view
[~HUAWEI] sysname NAT-Device
[*HUAWEI] commit
[~NAT-Device] service-location 1
[*NAT-Device-service-location-1] location follow-forwarding-mode
[*NAT-Device-service-location-1] commit
[~NAT-Device-service-location-1] quit
[~NAT-Device] service-instance-group group1
[*NAT-Device-service-instance-group-group1] service-location 1
[*NAT-Device-service-instance-group-group1] commit
[~NAT-Device-service-instance-group-group1] quit
[~NAT-Device] nat instance nat1 id 1
[*NAT-Device-nat-instance-nat1] service-instance-group group1
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[*NAT-Device-nat-instance-nat2] service-instance-group group1
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
配置NAT功能需要做NAT的流量引入到业务板,执行该命令用于解决出接口的引流问题。
对于命中ACL Deny规则的流量:
(1)当配置参数mode deny-forward时,表示对其做透传处理;
(2)没有配置参数mode deny-forward时,表示对其做丢弃处理。
配置NAT地址池。
配置NAT实例nat1地址池,作为访问公网的地址池,访问非教育网地址时NAT用。
配置NAT实例nat2地址池,作为访问教育网的地址池,访问教育网地址时NAT用。
[~NAT-Device] nat instance nat1 id 1
[~NAT-Device-nat-instance-nat1] nat address-group address-group1 group-id 1 1.1.1.10 1.1.1.100
[*NAT-Device-nat-instance-nat1] redirect ip-nexthop 1.1.1.2 outbound
[*NAT-Device-nat-instance-nat1] commit
[~NAT-Device-nat-instance-nat1] quit
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat address-group address-group2 group-id 2 2.1.1.50 2.1.1.100
[*NAT-Device-nat-instance-nat2] redirect ip-nexthop 2.1.1.2 outbound
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
(2)在NAT实例nat2下配置NAT内部服务器,私网地址为192.168.4.1,转换后的公网地址为2.1.1.3。
[~NAT-Device] nat instance nat2 id 2
[~NAT-Device-nat-instance-nat2] nat server-mode enable
[*NAT-Device-nat-instance-nat2] nat server global 2.1.1.3 inside 192.168.4.1
[*NAT-Device-nat-instance-nat2] commit
[~NAT-Device-nat-instance-nat2] quit
(3)配置NAT引流策略。
配置ACL规则,ACL编号3000,允许校园网内的主机访问教育网和Internet网络。
[~NAT-Device] acl 3000
[*NAT-Device-acl4-advance-3000] rule 1 permit ip
[*NAT-Device-acl4-advance-3000] commit
[~NAT-Device-acl4-advance-3000] quit
配置ACL规则,ACL编号3001,允许校园网用户访问Internet网络。
[~NAT-Device] acl 3001
[*NAT-Device-acl4-advance-3001] rule 1 permit ip destination 1.1.1.2 0.0.0.0
[*NAT-Device-acl4-advance-3001] commit
[~NAT-Device-acl4-advance-3001] quit
配置ACL规则,ACL编号3002,允许校园网用户访问教育网。
[~NAT-Device] acl 3002
[*NAT-Device-acl4-advance-3002] rule 1 permit ip destination 2.1.1.2 0.0.0.0
[*NAT-Device-acl4-advance-3002] commit
[~NAT-Device-acl4-advance-3002] quit
配置ACL规则,ACL编号3003,允许校园网用户之间互访。
[~NAT-Device] acl 3003
[*NAT-Device-acl4-advance-3003] rule 1 permit ip destination 192.168.0.0 0.0.255.255
[*NAT-Device-acl4-advance-3003] commit
[~NAT-Device-acl4-advance-3003] quit
配置ACL规则,ACL编号3004,允许校园网内源地址为192.168.2.0/24网段的数据流访问外网。
[~NAT-Device] acl 3004
[*NAT-Device-acl4-advance-3004] rule 1 permit ip source 192.168.2.0 0.0.0.255
[*NAT-Device-acl4-advance-3004] commit
[~NAT-Device-acl4-advance-3004] quit
配置ACL规则,ACL编号3005,允许校园网内源地址为192.168.3.0/24网段的数据流访问外网。
[~NAT-Device] acl 3005
[*NAT-Device-acl4-advance-3005] rule 1 permit ip source 192.168.3.0 0.0.0.255
[*NAT-Device-acl4-advance-3005] commit
[~NAT-Device-acl4-advance-3005] quit
定义需要重定向的数据流分类。
[~NAT-Device] traffic classifier redirectover1 operator or
[*NAT-Device-classifier-redirectover1] if-match acl 3001
[*NAT-Device-classifier-redirectover1] commit
[~NAT-Device-classifier-redirectover1] quit
[~NAT-Device] traffic classifier redirectover2 operator or
[*NAT-Device-classifier-redirectover2] if-match acl 3002
[*NAT-Device-classifier-redirectover2] commit
[~NAT-Device-classifier-redirectover2] quit
[~NAT-Device] traffic classifier redirectover3 operator or
[*NAT-Device-classifier-redirectover3] if-match acl 3003
[*NAT-Device-classifier-redirectover3] commit
[~NAT-Device-classifier-redirectover3] quit
[~NAT-Device] traffic classifier redirectover4 operator or
[*NAT-Device-classifier-redirectover4] if-match acl 3004
[*NAT-Device-classifier-redirectover4] commit
[~NAT-Device-classifier-redirectover4] quit
[~NAT-Device] traffic classifier redirectover5 operator or
[*NAT-Device-classifier-redirectover5] if-match acl 3005
[*NAT-Device-classifier-redirectover5] commit
[~NAT-Device-classifier-redirectover5] quit
定义需要重定向的数据的流行为。在流行为redirectover1中配置重定向的下一跳IP地址为1.1.1.2;在流行为redirectover2中配置重定向的下一跳IP地址为2.1.1.2。
[~NAT-Device] traffic behavior redirectover1
[*NAT-Device-behavior-redirectover1] redirect ip-nexthop 1.1.1.2
[*NAT-Device-behavior-redirectover1] commit
[~NAT-Device-behavior-redirectover1] quit
[~NAT-Device] traffic behavior redirectover2
[*NAT-Device-behavior-redirectover2] redirect ip-nexthop 2.1.1.2
[*NAT-Device-behavior-redirectover2] commit
[~NAT-Device-behavior-redirectover2] quit
[~NAT-Device] traffic behavior redirectover3
[*NAT-Device-behavior-redirectover3] commit
[~NAT-Device-behavior-redirectover3] quit
绑定流策略。
目的地址为1.1.1.2/32的数据流的出接口为Interface2,precedence为1,优先级高。
目的地址为2.1.1.2/32的数据流的出接口为Interface3,precedence为2,优先级高。
同网段192.168.0.0/16的校园网用户之间不通过NAT转换即可直接互访,数据流的precedence为3。
源地址为192.168.2.0/24网段的数据流的出接口为Interface2,precedence为4,优先级低。
源地址为192.168.3.0/24网段的数据流的出接口为Interface3,precedence为5,优先级低。
[~NAT-Device] traffic policy redirect
[*NAT-Device-trafficpolicy-redirect] classifier redirectover1 behavior redirectover1 precedence 1
[*NAT-Device-trafficpolicy-redirect] classifier redirectover2 behavior redirectover2 precedence 2
[*NAT-Device-trafficpolicy-redirect] classifier redirectover3 behavior redirectover3 precedence 3
[*NAT-Device-trafficpolicy-redirect] classifier redirectover4 behavior redirectover1 precedence 4
[*NAT-Device-trafficpolicy-redirect] classifier redirectover5 behavior redirectover2 precedence 5
[*NAT-Device-trafficpolicy-redirect] commit
[~NAT-Device-trafficpolicy-redirect] quit
(4)应用NAT引流策略。
在接口GE0/2/0视图下应用流分类策略,对入方向的数据流执行流策略redirect。
[~NAT-Device] interface gigabitEthernet 0/2/0
[~NAT-Device-GigabitEthernet0/2/0] ip address 192.168.1.1 255.255.255.0
[*NAT-Device-GigabitEthernet0/2/0] traffic-policy redirect inbound
[*NAT-Device-GigabitEthernet0/2/0] commit
[~NAT-Device-GigabitEthernet0/2/0] quit
在接口GE0/2/2视图下应用流分类策略,做教育网出口的NAT,绑定NAT实例nat2。
[~NAT-Device] interface gigabitEthernet 0/2/2
[~NAT-Device-GigabitEthernet0/2/2] ip address 2.1.1.1 255.255.255.0
[*NAT-Device-GigabitEthernet0/2/2] nat bind acl 3000 instance nat2
[*NAT-Device-GigabitEthernet0/2/2] commit
[~NAT-Device-GigabitEthernet0/2/2] quit
在接口GE0/2/1视图下应用流分类策略,做Internet网络出口的NAT,绑定NAT实例nat1。
[~NAT-Device] interface gigabitEthernet 0/2/1
[~NAT-Device-GigabitEthernet0/2/1] ip address 1.1.1.1 255.255.255.0
[*NAT-Device-GigabitEthernet0/2/1] nat bind acl 3000 instance nat1
[*NAT-Device-GigabitEthernet0/2/1] commit
[~NAT-Device-GigabitEthernet0/2/1] quit
配置文件
# sysname NAT-Device # service-location 1 location follow-forwarding-mode# service-instance-group group1 service-location 1 #nat instance nat1 id 1 service-instance-group group1 nat address-group address-group1 group-id 1 1.1.1.50 1.1.1.100 redirect ip-nexthop 1.1.1.2 outbound # nat instance nat2 id 2 service-instance-group group1 nat address-group address-group2 group-id 2 2.1.1.50 2.1.1.100 nat server-mode enable nat server global 2.1.1.3 inside 192.168.4.1 redirect ip-nexthop 2.1.1.2 outbound # acl number 3000 rule 1 permit ip # acl number 3001 rule 1 permit ip destination 1.1.1.0 0.0.0.255 # acl number 3002 rule 1 permit ip destination 2.1.1.0 0.0.0.255 # acl number 3003 rule 1 permit ip destination 192.168.0.0 0.0.255.255 # acl number 3004 rule 1 permit ip source 192.168.2.0 0.0.0.255 # acl number 3005 rule 1 permit ip source 192.168.3.0 0.0.0.255 # traffic classifier redirectover1 operator or if-match acl 3001 precedence 1 # traffic classifier redirectover2 operator or if-match acl 3002 precedence 1 # traffic classifier redirectover3 operator or if-match acl 3003 precedence 1 # traffic classifier redirectover4 operator or if-match acl 3004 precedence 1 # traffic classifier redirectover5 operator or if-match acl 3005 precedence 1 # traffic behavior redirectover1 redirect ip-nexthop 1.1.1.2 # traffic behavior redirectover2 redirect ip-nexthop 2.1.1.2 # traffic behavior redirectover3 # traffic policy redirect classifier redirectover1 behavior redirectover1 precedence 1 classifier redirectover2 behavior redirectover2 precedence 2 classifier redirectover3 behavior redirectover3 precedence 3 classifier redirectover4 behavior redirectover1 precedence 4 classifier redirectover5 behavior redirectover2 precedence 5 # interface GigabitEthernet 0/2/0 undo shutdown ip address 192.168.1.1 255.255.255.0 traffic-policy redirect inbound # interface GigabitEthernet 0/2/2 undo shutdown ip address 2.1.1.1 255.255.255.0 nat bind acl 3000 instance nat2 # interface GigabitEthernet 0/2/1 undo shutdown ip address 1.1.1.1 255.255.255.0 nat bind acl 3000 instance nat1 # return
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为路由器NE8000:配置学校双上行NAT和NAT内部服务器综合示例
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm