一.配置说明
1.DP1-CER(华为AR1000v)
2.DP2-CER(H3CvSR2000)
3.DP1 和DP2 分别下联vlan100 和vlan200且IP网段相同
DP1内网vlan100,200:
vlan100-192.168.100.0/24.
vlan200-192.168.200.0/24.
NAT后:
vlan100-172.16.100.0/24
vlan200-172.16.200.0/24
DP2内网vlan100,200:
vlan100-192.168.100.0/24.
vlan200-192.168.200.0/24.
NAT后:
vlan100-172.16.110.0/24
vlan200-172.16.210.0/24
4.互联网出口地址
DP1 出口IP:202.1.1.2/29
DP2 出口IP:123.1.1.2/29
5.GRE Tunnel 地址
DP1 GRE tunnel 0/0/0 IP-192.168.1.1/30
DP2 GRE tunnel0 IP-192.168.1.2/30
6.静态路由配置
DP1静态路由:
ip route-static 0.0.0.0 0.0.0.0 202.1.1.1
ip route-static 172.16.110.0 255.255.255.0 Tunnel0/0/0 192.168.1.2(隧道对端IP一定要加)
ip route-static 172.16.210.0 255.255.255.0 Tunnel0/0/0 192.168.1.2(隧道对端IP一定要加)
DP2静态路由:
ip route-static 0.0.0.0 0 123.1.1.1
ip route-static 172.16.100.0 24 Tunnel0 192.168.1.1(隧道对端IP一定要加)
ip route-static 172.16.200.0 24 Tunnel0 192.168.1.1(隧道对端IP一定要加)
二.DP1配置(Huawei-Router)
1.nat配置
1在GRE隧道接口下配置逻辑:
nat static global "转换后ip段" inside "内网子网ip段" netmask "掩码" acl "number" global-to-inside
nat static global "转换后ip段" inside "内网子网ip段" netmask "掩码" acl "number" inside-to-global
*注意两条都要配置实现双向nat
示例如下:
nat static global 172.16.100.0 inside 192.168.100.0 netmask 255.255.255.0 acl 3001 global-to-inside
nat static global 172.16.100.0 inside 192.168.100.0 netmask 255.255.255.0 acl 3001 inside-to-global
nat static global 172.16.200.0 inside 192.168.200.0 netmask 255.255.255.0 acl 3002 global-to-inside
nat static global 172.16.200.0 inside 192.168.200.0 netmask 255.255.255.0 acl 3002 inside-to-global
nat static enable(一定要开不然nat static 不生效)
2在公网出口配置普通互联网访问用nat:
nat outbound 3000
2.华为设备感兴趣流量acl
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 30 permit ip source 192.168.100.0 0.0.0.255
rule 40 permit ip source 192.168.200.0 0.0.0.255
Advanced ACL 3001, 4 rules
Acl's step is 5
rule 10 permit ip source 192.168.100.0 0.0.0.255 destination 172.16.110.0 0.0.0.255 ;出包转换触发流量
rule 11 permit ip source 192.168.100.0 0.0.0.255 destination 172.16.210.0 0.0.0.255 ;出包转换触发流量
rule 20 permit ip source 172.16.110.0 0.0.0.255 destination 172.16.100.0 0.0.0.255 ;回包转换触发流量
rule 21 permit ip source 172.16.210.0 0.0.0.255 destination 172.16.100.0 0.0.0.255 ;回包转换触发流量
Advanced ACL 3002, 4 rules
Acl's step is 5
rule 10 permit ip source 192.168.200.0 0.0.0.255 destination 172.16.210.0 0.0.0.255 ;出包转换触发流量
rule 11 permit ip source 192.168.200.0 0.0.0.255 destination 172.16.110.0 0.0.0.255 ;出包转换触发流量
rule 20 permit ip source 172.16.110.0 0.0.0.255 destination 172.16.200.0 0.0.0.255 ;回包转换触发流量
rule 21 permit ip source 172.16.210.0 0.0.0.255 destination 172.16.200.0 0.0.0.255 ;回包转换触发流量
三.DP2配置(H3C-Router)
1.nat配置
1在system-view全局下配置:
nat static outbound net-to-net 192.168.100.0 192.168.100.254 global 172.16.110.0 255.255.255.0 acl 3001 reversible
nat static outbound net-to-net 192.168.200.0 192.168.200.254 global 172.16.210.0 255.255.255.0 acl 3002 reversible
*注意reversible 关键字要配置相当于华为设备global-to-inside 和 inside-to-global两条
2在公网出口配置普通互联网访问用nat:
nat outbound 3000
2.H3C设备感兴趣流量acl
Advanced IPv4 ACL 3000, 2 rules,
ACL's step is 5
rule 30 permit ip source 192.168.100.0 0.0.0.255 (7 times matched)
rule 40 permit ip source 192.168.200.0 0.0.0.255 (5 times matched)
Advanced IPv4 ACL 3001, 2 rules,
ACL's step is 5
rule 10 permit ip source 192.168.100.0 0.0.0.255 destination 172.16.100.0 0.0.0.255 (123 times matched)
rule 11 permit ip source 192.168.100.0 0.0.0.255 destination 172.16.200.0 0.0.0.255
Advanced IPv4 ACL 3002, 2 rules,
ACL's step is 5
rule 10 permit ip source 192.168.200.0 0.0.0.255 destination 172.16.200.0 0.0.0.255 (149 times matched)
rule 11 permit ip source 192.168.200.0 0.0.0.255 destination 172.16.100.0 0.0.0.255 (16 times matched)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
