公司两条外线,vlan 10用nat走上面转发出去上网,vlan 20 走下面那条外线出去nat上网
AR2:
interface GigabitEthernet0/0/0
ip address 6.6.6.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 154.1.2.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 202.1.2.3 255.255.255.0
return
AR1:
acl number 3000
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3001
rule 2 permit ip source 10.1.2.0 0.0.0.255
traffic classifier 2 operator or
if-match acl 3001
traffic classifier 1 operator or
if-match acl 3000
traffic behavior 2
redirect ip-nexthop 152.1.2.1
traffic behavior 1
redirect ip-nexthop 202.1.2.1
traffic policy redirect
classifier 1 behavior 1
classifier 2 behavior 2
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 154.1.2.1 255.255.255.0
nat outbound 3000
interface GigabitEthernet0/0/1
ip address 11.1.1.1 255.255.255.0
traffic-policy redirect inbound
interface GigabitEthernet0/0/2
ip address 202.1.2.1 255.255.255.0
nat outbound 3001
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 154.1.2.3
ip route-static 0.0.0.0 0.0.0.0 202.1.2.3
ip route-static 10.1.0.0 255.255.0.0 11.1.1.2
return
核心交换机:
dis current-configuration
sysname Huawei
vlan batch 10 20 100
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
dhcp enable
interface Vlanif1
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select interface
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
dhcp select interface
interface Vlanif100
ip address 11.1.1.2 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
stp edged-port enable
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
stp edged-port enable
ip route-static 0.0.0.0 0.0.0.0 11.1.1.1
扩展部分:如果两条外线一条备用,只用一条,且局域网有服务器,又和分校区连接
pppoe配置:
[Internet]ip pool pppoe 创建地址池
[Internet-ip-pool-pppoe]network 123.1.1.0 mask 24 配置IP地址段
[Internet-ip-pool-pppoe]dns-list 114.114.114.114 配置DNS
[Internet-ip-pool-pppoe]excluded-ip-address 123.1.1.254 排除分配的IP地址
[Internet-ip-pool-pppoe]excluded-ip-address 123.1.1.253 排除分配的IP地址
[Internet]interface Virtual-Template 1 创建虚拟模板
[Internet-Virtual-Template1]ppp authentication-mode pap 认证模式为pap模式
[Internet-Virtual-Template1]remote address pool pppoe 关联地址池
[Internet-Virtual-Template1]ip address 123.1.1.254 24 创建网关IP地址
Int g0/0/0
[Internet-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1 进入接口绑定虚拟模板
aaa
[Internet-aaa]local-user test password cipher Start123! 创建拨号的用户名和密码
[Internet-aaa]local-user test service-type ppp 类型为ppp类型
创建一个回环测试
[Internet]interface LoopBack 0 进入回环口
[Internet-LoopBack0]ip address 61.128.1.1 24 配置IP地址
以上是服务器的配置
下面客户端配置
[Huawei]interface Dialer 1 进入接口1
[Huawei-Dialer1]link-protocol ppp 协议为ppp
ppp pap local-user test password simple Start123! 输入用户名密码
ip address ppp-negotiate 自动分配IP地址
dialer user test 用户名为test
dialer bundle 1 绑定1
[Huawei]interface GigabitEthernet 0/0/0 进入接口
[Huawei-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1 绑定1
如果两条一条作为备用线路:
1、两条外线。默认用拨号,专线备用:
在出口路由器上,2条外线口上都要同样的操作:启nat和对外开放web端口nat
acl number 3005
rule 5 permit ip source 192.168.0.0 0.0.255.255
interface Dialer1
nat outbind 3005
nat server protocol tcp global current-interface 80 inside 192.168.200.10 80
interface g0/0/2
nat outbind 3005
nat server protocol tcp global current-interface 80 inside 192.168.200.10 80
同样在出口路由器上写两条默认路由分别指南两个公网IP,但一个要调开销70作为备用
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 0.0.0.0 0 23.1.1.1 preference 70
2、vlan 30的用户只能访问分校区,不能上公网:
些要求要在出口路由器上做:
acl 3001
rule 5 permit ip destination 192.168.0.0 0.0.255.255
rule 10 deny ip source 192.168.30.0 0.0.0.255
然后在路由的内网口上调用:
int g0/0/1
traffic-filter inbound acl 3001
3、只允许vlan 10研发部的人才能访问研发服务器。其它人过来的deny掉
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.200.20 0
rule 10 deny ip destination 192.168.200.20 0
然后在核心出接口上启用过滤规则,调用这个acl
int g0/0/4
traffic-filter outbound acl 3000
