1.在×××站点内配置一个代理服务器拥有公网IP做NAT,之后网关写到CE,CE上配置默认路由指向PE,之后PE上做静态的公网跳出路由,即在静态路由的下以跳写public关键字。之后做回程路由跳回×××,下一跳写×××站点地址即可,但是VRP3.X不支持这个办法因此回程需要用策略路由回了。注意策略路由如果是多角色主机,要同时访问多个×××则需要策略多个×××如××× A B,才会先后在A,B内进行路由查找。但是对于本×××内找不到的路由还是会回到PUBLIC表即(MAIN表)中查找。但是如果在其他×××找不到了,比如去了B,如果找不到某路由,则路由失败。
2 做NAT多实例,这个办法比较好,可是VRP3.X也不能支持。只需要在配置NAT的时候启用多实例即可。
3 将公网接口绑定到一个×××实例中,然后配置RT策略,把私网路由引入到公网上去。这样做办法不是很好。同时将公网路由引入到私网,或是在私网中加入一条全局跳出路由。
举例多角色主机加访问公网的一个配置例子静态路由方式其实是最好的办法。
[PE2-route-policy]dis cur
#
sysname PE2
#
cpu-usage cycle 1min
#
mpls lsr-id 22.22.22.22
#
radius scheme system
#
mpls
#
ip vpn-instance A
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
ip vpn-instance B
route-distinguisher 1:2
vpn-target 1:2 export-extcommunity
vpn-target 1:2 import-extcommunity
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
acl number 2000
rule 1 permit vpn-instance A source 192.168.10.0 0.0.0.255
acl number 2002
rule 0 permit
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address dhcp-alloc
#
interface Ethernet0/0.1
ip binding vpn-instance A
ip address 1.1.1.5 255.255.255.252
ip policy route-policy DJS
vlan-type dot1q vid 1
#
interface Ethernet0/0.2
ip binding vpn-instance B
ip address 1.1.1.5 255.255.255.252
vlan-type dot1q vid 2
#
interface Ethernet0/1
ip address dhcp-alloc
#
interface Serial0/0
link-protocol ppp
ip address 1.1.1.2 255.255.255.252
ip policy route-policy internet
#
interface Tunnel1
source 22.22.22.22
destination 11.11.11.11
mpls
#
interface NULL0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 1
undo synchronization
group m-ibgp internal
peer 11.11.11.11 group m-ibgp
peer 11.11.11.11 connect-interface LoopBack1
#
ipv4-family vpn-instance A
import-route direct
import-route ospf 2
undo synchronization
#
ipv4-family vpn-instance B
import-route direct
import-route ospf 3
import-route static
undo synchronization
#
ipv4-family vpnv4
peer m-ibgp enable
peer 11.11.11.11 group m-ibgp
#
ospf 1
import-route static tag 123
area 0.0.0.0
network 1.1.1.0 0.0.0.3
network 22.22.22.22 0.0.0.0
#
ospf 2 vpn-instance A
import-route bgp
area 0.0.0.0
network 1.1.1.5 0.0.0.0
#
ospf 3 vpn-instance B
import-route bgp
area 0.0.0.0
network 1.1.1.5 0.0.0.0
#
route-policy DJS permit node 10
if-match acl 2000
apply access-vpn vpn-instance B A
route-policy internet permit node 10
if-match acl 2002
apply access-vpn vpn-instance A
#
FTP server enable
#
ip route-static 192.168.10.0 255.255.255.0 NULL 0 preference 60
ip route-static vpn-instance A 0.0.0.0 0.0.0.0 1.1.1.3 public preference 60 description internet
ip route-static vpn-instance B 192.168.10.0 255.255.255.0 vpn-instance A 1.1.1.6 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
#
sysname PE2
#
cpu-usage cycle 1min
#
mpls lsr-id 22.22.22.22
#
radius scheme system
#
mpls
#
ip vpn-instance A
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
ip vpn-instance B
route-distinguisher 1:2
vpn-target 1:2 export-extcommunity
vpn-target 1:2 import-extcommunity
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
acl number 2000
rule 1 permit vpn-instance A source 192.168.10.0 0.0.0.255
acl number 2002
rule 0 permit
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address dhcp-alloc
#
interface Ethernet0/0.1
ip binding vpn-instance A
ip address 1.1.1.5 255.255.255.252
ip policy route-policy DJS
vlan-type dot1q vid 1
#
interface Ethernet0/0.2
ip binding vpn-instance B
ip address 1.1.1.5 255.255.255.252
vlan-type dot1q vid 2
#
interface Ethernet0/1
ip address dhcp-alloc
#
interface Serial0/0
link-protocol ppp
ip address 1.1.1.2 255.255.255.252
ip policy route-policy internet
#
interface Tunnel1
source 22.22.22.22
destination 11.11.11.11
mpls
#
interface NULL0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 1
undo synchronization
group m-ibgp internal
peer 11.11.11.11 group m-ibgp
peer 11.11.11.11 connect-interface LoopBack1
#
ipv4-family vpn-instance A
import-route direct
import-route ospf 2
undo synchronization
#
ipv4-family vpn-instance B
import-route direct
import-route ospf 3
import-route static
undo synchronization
#
ipv4-family vpnv4
peer m-ibgp enable
peer 11.11.11.11 group m-ibgp
#
ospf 1
import-route static tag 123
area 0.0.0.0
network 1.1.1.0 0.0.0.3
network 22.22.22.22 0.0.0.0
#
ospf 2 vpn-instance A
import-route bgp
area 0.0.0.0
network 1.1.1.5 0.0.0.0
#
ospf 3 vpn-instance B
import-route bgp
area 0.0.0.0
network 1.1.1.5 0.0.0.0
#
route-policy DJS permit node 10
if-match acl 2000
apply access-vpn vpn-instance B A
route-policy internet permit node 10
if-match acl 2002
apply access-vpn vpn-instance A
#
FTP server enable
#
ip route-static 192.168.10.0 255.255.255.0 NULL 0 preference 60
ip route-static vpn-instance A 0.0.0.0 0.0.0.0 1.1.1.3 public preference 60 description internet
ip route-static vpn-instance B 192.168.10.0 255.255.255.0 vpn-instance A 1.1.1.6 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
此配置中最关键的是 ip route-static 192.168.10.0 255.255.255.0 NULL 0 preference 60
配置公网的回程路由,到私网的,当然如果有代理服务器久没必要把私网路由发布到公网上去了。
ip route-static vpn-instance A 0.0.0.0 0.0.0.0 1.1.1.3 public preference 60 description internet
在×××A内添加一条全局跳出路由。
route-policy internet permit node 10
if-match acl 2002
apply access-vpn vpn-instance A
#
if-match acl 2002
apply access-vpn vpn-instance A
#
配置一个策略路由的方法,将所有回来的数据进行策略路由先在×××A内查找,查不到再返回到publc主要是负责回来的时候,因为VRP3.X不支持回程的×××静态路由。
