一、背景

此实例来自于某学校的现实网络应用。该单位采用双线接入,一条电信光纤100M,一条移动光纤200M。办公网络要走电信光纤,教学、实验网络要走移动光纤。要实现该目标,在现有设备的情况下,运用策略路由是比较好的选择方案。该单位使用的网络设备主要是华为的设备。现通过华为eNSP模拟器重新将整个网络的配置模拟实现,以供参考。

网络拓扑简化后如下:

wKioL1l0vnCiN2h9AAF18Sxmwhk027.jpg-wh_50

二、拓扑图说明

1)左侧区域代表内网,由四个子网组成,分别是vlan 10vlan 20vlan 30vlan 40,使用的接入设备为S3700,核心设备使用的是S5700,出口设备使用AR2220

2)右侧区域使用4AR2220模拟外网,路由器AR2AR5启用OSPF协议。在AR5接入一台计算机模拟外网的资源。

3)假设vlan 10vlan 20是办公子网,vlan 30vlan 40是教学和实验子网。各个vlan的网段分配如下:vlan 10 网段 192.168.10.0/24 网关192.168.10.1vlan 20 网段192.168.20.0/24 网关192.168.20.1vlan 30网段192.168.30.0/24 网关192.168.30.1vlan 40网段192.168.40.0/24 网关 192.168.40.1

4)核心交换机GE0/0/2vlan 10GE0/0/3vlan 20GE0/0/4vlan 30GE0/0/5vlan40。核心交换机GE0/0/1与出口路由AR1 GE0/0/0对接,独划在vlan 200vlan 200使用网段172.16.0.0/30vlan 200IP 172.16.0.1/30AR1 GE0/0/0 IP 172.16.0.2/30

5)出口路由AR1的端口GE0/0/1假设接电信光纤,分配的IP 112.45.65.1/30,电信的网关112.45.65.2/30;端口GE0/0/2假设接移动光纤,分配的IP 217.15.75.1/30,移动的网关217.15.75.2/30。其中vlan 10vlan 20的流量走电信光纤,vlan 30vlan 40流量走移动光纤。

6)模拟外网的路由器AR2AR5各个连接端口IP

AR2 GE0/0/0 112.45.65.1/30     GE0/0/1 23.0.0.1/30

AR3 GE0/0/0 23.0.0.2/30   GE0/0/1 35.0.0.1/30

AR4 GE0/0/0 217.15.75.2/30  GE0/0/1 45.0.0.1/30

AR5 GE0/0/0 35.0.0.2/30  GE0/0/1 45.0.0.2/30  GE0/0/2 218.0.0.1/30

三、配置步骤

1)各个PCIP配置

PC1ip192.168.10.2 掩码255.255.255.0 网关192.168.10.1

PC2ip192.168.20.2 掩码255.255.255.0 网关192.168.20.1

PC3ip192.168.30.2 掩码255.255.255.0 网关192.168.30.1

PC4ip192.168.40.2 掩码255.255.255.0 网关192.168.40.1

PC5ip218.0.0.2 掩码255.255.255.252 网关218.0.0.1

2)核心交接机LSW1配置

<Huawei>system-view

[Huawei]vlan batch 10 20 30 40 200

[Huawei]interface Vlanif 10

[Huawei-Vlanif10]ip address 192.168.10.1 24

[Huawei-Vlanif10]quit

[Huawei]interface Vlanif 20

[Huawei-Vlanif20]ip address 192.168.20.1 24

[Huawei-Vlanif20]quit

[Huawei]interface Vlanif 30

[Huawei-Vlanif30]ip address 192.168.30.1 24

[Huawei-Vlanif30]quit

[Huawei]interface Vlanif 40

[Huawei-Vlanif40]ip address 192.168.40.1 24

[Huawei-Vlanif40]quit

[Huawei]interface Vlanif 200

[Huawei-Vlanif200]ip address 172.16.0.1 30

[Huawei-Vlanif200]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]port link-typeaccess

[Huawei-GigabitEthernet0/0/1]port defaultvlan 200

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]port link-typeaccess

[Huawei-GigabitEthernet0/0/2]port defaultvlan 10

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]interface GigabitEthernet 0/0/3

[Huawei-GigabitEthernet0/0/3]port link-typeaccess

[Huawei-GigabitEthernet0/0/3]port defaultvlan 20

[Huawei-GigabitEthernet0/0/3]quit

[Huawei]interface GigabitEthernet 0/0/4

[Huawei-GigabitEthernet0/0/4]port link-typeaccess

[Huawei-GigabitEthernet0/0/4]port defaultvlan 30

[Huawei-GigabitEthernet0/0/4]quit

[Huawei]interface GigabitEthernet 0/0/5

[Huawei-GigabitEthernet0/0/5]port link-typeaccess

[Huawei-GigabitEthernet0/0/5]port defaultvlan 40

[Huawei-GigabitEthernet0/0/5]quit

[Huawei]ip route-static 0.0.0.0 0.0.0.0 172.16.0.2

3)模拟外网的路由器AR2-AR5的配置

AR2

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address112.45.65.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address23.0.0.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network112.45.65.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network 23.0.0.0 0.0.0.3

AR3

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address23.0.0.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address35.0.0.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network23.0.0.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network35.0.0.0 0.0.0.3

AR4

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address217.15.75.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address45.0.0.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network217.15.75.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network 45.0.0.0 0.0.0.3

AR5

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address35.0.0.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address45.0.0.2 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]ip address218.0.0.1 30

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network35.0.0.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network45.0.0.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network218.0.0.0 0.0.0.3

4)出口路由AR1的配置

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address172.16.0.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address112.45.65.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]ip address217.15.75.1 30

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]ip route-static192.168.0.0 255.255.0.0 172.16.0.1

[Huawei]acl 2112

[Huawei-acl-basic-2112]rule permit source192.168.10.0 0.0.0.255

[Huawei-acl-basic-2112]rule permit source192.168.20.0 0.0.0.255

[Huawei-acl-basic-2112]quit

[Huawei]acl 2217

[Huawei-acl-basic-2217]rule permit source192.168.30.0 0.0.0.255

[Huawei-acl-basic-2217]rule permit source192.168.40.0 0.0.0.255

[Huawei-acl-basic-2217]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]nat outbound2112

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]nat outbound2217

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]traffic classifier c112

[Huawei-classifier-c112]if-match acl 2112

[Huawei-classifier-c112]quit

[Huawei]traffic classifier c217

[Huawei-classifier-c217]if-match acl 2217

[Huawei-classifier-c217]quit

[Huawei]traffic behavior b112

[Huawei-behavior-b112]redirect ip-nexthop112.45.65.2

[Huawei-behavior-b112]quit

[Huawei]traffic behavior b217

[Huawei-behavior-b217]redirect ip-nexthop217.15.75.2

[Huawei-behavior-b217]quit

[Huawei]traffic policy tointernet

[Huawei-trafficpolicy-tointernet]classifierc112 behavior b112

[Huawei-trafficpolicy-tointernet]classifierc217 behavior b217

[Huawei-trafficpolicy-tointernet]quit

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]traffic-policytointernet inbound

四、验证与查看nat session

PC1:

PC>ping 218.0.0.2

 

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

Request timeout!

From 218.0.0.2: bytes=32 seq=2 ttl=123time=62 ms

From 218.0.0.2: bytes=32 seq=3 ttl=123time=94 ms

From 218.0.0.2: bytes=32 seq=4 ttl=123time=78 ms

From 218.0.0.2: bytes=32 seq=5 ttl=123time=78 ms

 

--- 218.0.0.2 ping statistics ---

  5packet(s) transmitted

  4packet(s) received

  20.00% packet loss

  round-tripmin/avg/max = 0/78/94 ms

PC>tracert 218.0.0.2

 

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

 1 192.168.10.1   47 ms  31 ms 47 ms

 2   *  *  *

 3 112.45.65.2   47 ms  62 ms 62 ms

 4 23.0.0.2   94 ms  78 ms 62 ms

 5 35.0.0.2   78 ms  78 ms 94 ms

 6 218.0.0.2   94 ms  46 ms 94 ms

 

PC2:

PC>ping 218.0.0.2

 

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

Request timeout!

From 218.0.0.2: bytes=32 seq=2 ttl=123time=63 ms

From 218.0.0.2: bytes=32 seq=3 ttl=123time=78 ms

From 218.0.0.2: bytes=32 seq=4 ttl=123 time=78ms

From 218.0.0.2: bytes=32 seq=5 ttl=123time=94 ms

 

--- 218.0.0.2 ping statistics ---

  5packet(s) transmitted

  4packet(s) received

 20.00% packet loss

 round-trip min/avg/max = 0/78/94 ms

 

PC>tracert 218.0.0.2

 

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

 1 192.168.20.1   46 ms  32 ms 46 ms

 2   *  *  *

 3 112.45.65.2   63 ms  62 ms 63 ms

 4 23.0.0.2   78 ms  93 ms 94 ms

 5 35.0.0.2   93 ms  78 ms 78 ms

 6 218.0.0.2   94 ms  94 ms 109 ms

 

PC3:

PC>ping 218.0.0.2

 

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

From 218.0.0.2: bytes=32 seq=1 ttl=124time=63 ms

From 218.0.0.2: bytes=32 seq=2 ttl=124time=47 ms

From 218.0.0.2: bytes=32 seq=3 ttl=124time=63 ms

From 218.0.0.2: bytes=32 seq=4 ttl=124time=62 ms

From 218.0.0.2: bytes=32 seq=5 ttl=124time=47 ms

 

--- 218.0.0.2 ping statistics ---

  5packet(s) transmitted

  5packet(s) received

 0.00% packet loss

 round-trip min/avg/max = 47/56/63 ms

 

PC>tracert 218.0.0.2

 

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

 1 192.168.30.1   31 ms  47 ms 47 ms

 2   *  *  *

 3 217.15.75.2   63 ms  62 ms 62 ms

 4  45.0.0.2   94 ms 62 ms  78 ms

 5 218.0.0.2   78 ms  63 ms 47 ms

 

PC4:

PC>ping 218.0.0.2

 

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

From 218.0.0.2: bytes=32 seq=1 ttl=124time=78 ms

From 218.0.0.2: bytes=32 seq=2 ttl=124time=78 ms

From 218.0.0.2: bytes=32 seq=3 ttl=124time=78 ms

From 218.0.0.2: bytes=32 seq=4 ttl=124time=62 ms

From 218.0.0.2: bytes=32 seq=5 ttl=124 time=47ms

 

--- 218.0.0.2 ping statistics ---

  5packet(s) transmitted

  5packet(s) received

 0.00% packet loss

 round-trip min/avg/max = 47/68/78 ms

 

PC>tracert 218.0.0.2

 

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

 1 192.168.40.1   15 ms  47 ms 47 ms

 2   *  *  *

 3 217.15.75.2   78 ms  63 ms 62 ms

 4  45.0.0.2   94 ms 62 ms  62 ms

 5 218.0.0.2   94 ms  94 ms 46 ms

 

出口路由的natsession:

[Huawei]dis nat session all

  NATSession Table Information:

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.10.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8  48257

    NAT-Info

      New SrcAddr     : 112.45.65.1   

      New DestAddr    : ----

      New IcmpId      : 10295

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.20.2                                  

    DestAddr  ***     : 218.0.0.2                                      

    Type Code IcmpId  : 0   8  48259

    NAT-Info

      New SrcAddr     : 112.45.65.1   

      New DestAddr    : ----

      New IcmpId      : 10297

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.30.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8  48263

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10295

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.40.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8   48262

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10294

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.40.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8  48265

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10297

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.40.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8  48263

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10296

 

     Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.30.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8   48262

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10293

 

     Protocol         : ICMP(1)

     SrcAddr  ***     : 192.168.30.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8  48259

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10290

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.30.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8  48261

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10291

 

    Protocol          : ICMP(1)

    SrcAddr   ***     : 192.168.40.2                                  

    DestAddr  ***     : 218.0.0.2                                     

    Type Code IcmpId  : 0   8   48261

    NAT-Info

      New SrcAddr     : 217.15.75.1   

      New DestAddr    : ----

      New IcmpId      : 10292