1、PC1、2、3、4均可以访问internet的lo0:8.8.8.8
2、PC1、PC4通过电信ISP访问internet;PC2、PC3通过联通ISP访问internet;
1、internet路由器模拟公网,8.8.8.8模拟公网IP;电信ISP、联通ISP路由器模拟电信和联通运营商;出口路由为企业出口路由器;这四个路由器直连链路之间运行ospf,配置动态路由,实现互通;
2、出口路由与三层交换直连链路运行ospf,动态同步路由信息;
3、出口路由器内网端口配置NAT,实现内外网IP地址转换;
4、内网划分vlan,并将PC分别加入对应的VLAN,VLAN直接配置三层交换实现VLAN间路由;
5、在出口路由上配置策略路由,匹配具体源地址到目的地址报文,并将报文按照设定转发;
Internet路由器配置: [internet]int gi 0/0/0 [internet-GigabitEthernet0/0/0]ip addr 100.1.1.1 24 [internet-GigabitEthernet0/0/0]int gi 0/0/1 [internet-GigabitEthernet0/0/1]ip addr 200.1.1.1 24 [internet-GigabitEthernet0/0/1]int lo0 [internet-LoopBack0]ip addr 8.8.8.8 32 [internet-LoopBack0]router id 1.1.1.1 [internet]ospf [internet-ospf-1]area 0 [internet-ospf-1-area-0.0.0.0]network 100.1.1.1 0.0.0.0 [internet-ospf-1-area-0.0.0.0]network 200.1.1.1 0.0.0.0 [internet-ospf-1-area-0.0.0.0]network 8.8.8.8 0.0.0.0
电信ISP路由器配置:
[telecom]int gi0/0/0 [telecom-GigabitEthernet0/0/0]ip addr 100.1.1.2 24 [telecom-GigabitEthernet0/0/0]int gi 0/0/1 [telecom-GigabitEthernet0/0/1]ip addr 10.1.1.2 24 [telecom-GigabitEthernet0/0/1]router id 2.2.2.2 [telecom]ospf [telecom-ospf-1]area 0 [telecom-ospf-1-area-0.0.0.0]network 100.1.1.2 0.0.0.0 [telecom-ospf-1-area-0.0.0.0]network 10.1.1.2 0.0.0.0
联通ISP路由器配置: [unicom]int gi 0/0/0 [unicom-GigabitEthernet0/0/0]ip addr 200.1.1.2 24 [unicom-GigabitEthernet0/0/0]int gi 0/0/1 [unicom-GigabitEthernet0/0/1]ip addr 20.1.1.2 24 [unicom-GigabitEthernet0/0/1]q [unicom]router id 3.3.3.3 [unicom]ospf [unicom-ospf-1]area 0 [unicom-ospf-1-area-0.0.0.0]network 200.1.1.2 0.0.0.0 [unicom-ospf-1-area-0.0.0.0]network 20.1.1.2 0.0.0.0
出口路由器配置
[Huawei]int gi 0/0/0 [Huawei-GigabitEthernet0/0/0]ip addr 10.1.1.1 24 [Huawei-GigabitEthernet0/0/0]int gi0/0/1 [Huawei-GigabitEthernet0/0/1]ip addr 20.1.1.1 24 [Huawei-GigabitEthernet0/0/1]q [Huawei]router id 4.4.4.4 [Huawei]ospf [Huawei-ospf-1]area 0 [Huawei-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0 [Huawei-ospf-1-area-0.0.0.0]network 20.1.1.1 0.0.0.0
ospf area 0的配置实现了四个路由器之间的通信
出口路由器与三层交换之间也配置动态路由ospf,但是由于三层交换的gi0/0/1口不能配置IP地址,所以将端口划分到vlan100中,并给vlanif100配置ip地址;
出口路由器配置:
[Huawei-GigabitEthernet0/0/2]ip addr 1.1.1.1 24
[Huawei]ospf [Huawei-ospf-1]area 1 [Huawei-ospf-1-area-0.0.0.1]network 1.1.1.0 0.0.0.255 [Huawei-GigabitEthernet0/0/2]ospf network-type p2p三层交换配置:
[Huawei]vlan 100 [Huawei-vlan100]int vlanif 100 [Huawei-Vlanif100]ip addr 1.1.1.1 24 [Huawei-Vlanif100]q一定要将vlanif100和端口关联起来[Huawei]int gi 0/0/1 [Huawei-GigabitEthernet0/0/1]portswitch [Huawei-GigabitEthernet0/0/1]port link-type access [Huawei-GigabitEthernet0/0/1]port default vlan 100 [Huawei]ospf [Huawei-ospf-1]area 1 [Huawei-ospf-1-area-0.0.0.1]network 1.1.1.0 0.0.0.255 [Huawei-ospf-1]silent-interface gi 0/0/2 [Huawei-ospf-1]silent-interface gi 0/0/3
通过抓取直连链路的报文,确定已经建立ospf成功
在出口路由器上配置NAT,实现局域网网段(192.168.1.0/24和192.168.2.0/24)与外网IP10.1.1.1和20.1.1.1的动态映射;
[Huawei]acl 2001 [Huawei-acl-basic-2001]dis th [Huawei-acl-basic-2001]rule permit source 192.168.1.0 0.0.0.255 [Huawei-acl-basic-2001]rule permit source 192.168.2.0 0.0.0.255 [Huawei-acl-basic-2001]q [Huawei]int gi 0/0/0 [Huawei-GigabitEthernet0/0/0]nat outbound 2001 [Huawei-GigabitEthernet0/0/0]int gi0/0/1 [Huawei-GigabitEthernet0/0/1]nat outbound 2001
[Huawei]vlan batch 10 20 [Huawei]int gi 0/0/2 [Huawei-GigabitEthernet0/0/2]port link-type trunk [Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 [Huawei-GigabitEthernet0/0/2]q [Huawei]int gi 0/0/3 [Huawei-GigabitEthernet0/0/3]port link-type trunk [Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 [Huawei-GigabitEthernet0/0/3]q [Huawei]int vlanif 10 [Huawei-Vlanif10]ip addr 192.168.1.254 24 [Huawei-Vlanif10]int vlanif 20 [Huawei-Vlanif20]ip addr 192.168.2.254 24
[L2swA]vlan batch 10 20 [L2swA]int gi 0/0/1 [L2swA-GigabitEthernet0/0/1]port link-type trunk [L2swA-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [L2swA-GigabitEthernet0/0/1]q [L2swA]int gi 0/0/2 [L2swA-GigabitEthernet0/0/2]port link-type access [L2swA-GigabitEthernet0/0/2]port default vlan 10 [L2swA-GigabitEthernet0/0/2]int gi 0/0/3 [L2swA-GigabitEthernet0/0/3]port link-type access [L2swA-GigabitEthernet0/0/3]port default vlan 10
[L2swB]vlan batch 10 20 Info: This operation may take a few seconds. Please wait for a moment...done. [L2swB]int gi 0/0/1 [L2swB-GigabitEthernet0/0/1]port link-type trunk [L2swB-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [L2swB-GigabitEthernet0/0/1]int gi 0/0/2 [L2swB-GigabitEthernet0/0/2]port link-type access [L2swB-GigabitEthernet0/0/2]port default vlan 20 [L2swB-GigabitEthernet0/0/2]int gi 0/0/3 [L2swB-GigabitEthernet0/0/3]port link-type access [L2swB-GigabitEthernet0/0/3]port default vlan 20
PC1234配置,下图以PC1为例
默认情况下telecom router和unicom router之间形成了等价路由,也就是说局域网PC访问internet是随机选择isp的。
但是要实现PC1和PC4通过ISP telecom访问intelnet
PC2和PC3通过ISP unicom访问interent
还需要配置策略路由;
1、配置acl
<Huawei>sys [Huawei]acl 3001 [Huawei-acl-adv-3001]rule permit ip source 192.168.1.1 0.0.0.0 [Huawei-acl-adv-3001]rule permit ip source 192.168.2.1 0.0.0.0 [Huawei-acl-adv-3001]acl 3002 [Huawei-acl-adv-3002]rule permit ip source 192.168.1.2 0.0.0.0 [Huawei-acl-adv-3002]rule permit ip source 192.168.2.2 0.0.0.0 [Huawei-acl-adv-3002]q [Huawei]acl 3003 [Huawei-acl-adv-3003]rule permit ip source 192.168.1.0 0.0.0.255 destination 192 .168.1.254 0 [Huawei-acl-adv-3003]rule permit ip source 192.168.2.0 0.0.0.255 destination 19 2.168.2.254 0 [Huawei-acl-adv-3003]q
2、配置流匹配
[Huawei]traffic classifier c1 [Huawei-classifier-c1]if-match acl 3001 [Huawei-classifier-c1]traffic classifier c2 [Huawei-classifier-c2]if-match acl 3002 [Huawei-classifier-c2]traffic classifier c3 [Huawei-classifier-c3]if-match acl 3003 [Huawei-classifier-c3]q
3、配置流行为
[Huawei]traffic behavior b1 [Huawei-behavior-b1]redirect ip-nexthop 10.1.1.2 [Huawei-behavior-b1]traffic behavior b2 [Huawei-behavior-b2]redirect ip-nexthop 20.1.1.2 [Huawei-behavior-b2]traffic behavior b3 [Huawei-behavior-b3]permit [Huawei-behavior-b3]q
4、配置流策略
[Huawei]traffic policy p1 [Huawei-trafficpolicy-p1]classifier c3 behavior b3 [Huawei-trafficpolicy-p1]classifier c1 behavior b1 [Huawei-trafficpolicy-p1]classifier c2 behavior b2 [Huawei-trafficpolicy-p1]q
5、配置流应用
[Huawei]int gi 0/0/2 [Huawei-GigabitEthernet0/0/2]traffic-policy p1 inbound [Huawei-GigabitEthernet0/0/2]q
