华为路由器旁挂组网用vpn-instance实例上网配置案例

最终实现效果：pc1上公网走AR3旁挂路由器绕行出去外网，回包一样绕行旁挂ar3路由回包给pc1

核心交换机配置：

[Huawei]dis current-configuration

sysname Huawei

vlan batch 10 20 100 200

dhcp enable

ip vpn-instance a //定义vpn实例a
ipv4-family

ip vpn-instance b //定义vpn实例b
ipv4-family

interface Vlanif10
ip binding vpn-instance a //内网关联vpn实例a
ip address 192.168.10.1 255.255.255.0
dhcp select interface

interface Vlanif20
ip binding vpn-instance b //连接出口路由关联vpn实例b
ip address 192.168.20.2 255.255.255.0

interface Vlanif100
ip binding vpn-instance a //和旁挂路由连接内网vpn实例a
ip address 192.168.100.2 255.255.255.0

interface Vlanif200
ip binding vpn-instance b //和旁挂路由连接出口路由vpn实例b
ip address 192.168.200.2 255.255.255.0

interface GigabitEthernet0/0/1 //接口加入vlan
port link-type access
port default vlan 10

interface GigabitEthernet0/0/2 //连接旁挂路由接口放行两个vlan
port link-type trunk
port trunk allow-pass vlan 100 200

interface GigabitEthernet0/0/3 //连接出口路由器接口
port link-type access
port default vlan 20

ip route-static vpn-instance a 0.0.0.0 0.0.0.0 192.168.100.1
//这条默认是内网要上网的包出去交换旁挂路由器vpn实例a
ip route-static vpn-instance b 0.0.0.0 0.0.0.0 192.168.20.1
//继续把外网的包给vpn实例b默认路由
ip route-static vpn-instance b 192.168.10.0 255.255.255.0 192.168.200.1
//外网反向回包路由
ip route-static vpn-instance b 192.168.100.0 255.255.255.0 192.168.200.1
//外网反向回包路由

旁挂路由器配置

interface GigabitEthernet0/0/0.100 //单臂路由子接口连接内网
dot1q termination vid 100
ip address 192.168.100.1 255.255.255.0
arp broadcast enable

interface GigabitEthernet0/0/0.200 //单臂路由子接口连接出口路由
dot1q termination vid 200
ip address 192.168.200.1 255.255.255.0
arp broadcast enable

ip route-static 0.0.0.0 0.0.0.0 192.168.200.2
//内部电脑访问公网默认路由
ip route-static 192.168.10.0 255.255.255.0 192.168.100.2
//外网回包路由

出口路由器配置：

acl number 2000 //匹配上网的流量
rule 15 permit source 192.168.0.0 0.0.255.255

interface GigabitEthernet0/0/0 //外网口
ip address 1.1.1.1 255.255.255.0
nat outbound 2000

interface GigabitEthernet0/0/1 //连接内网口
ip address 192.168.20.1 255.255.255.0

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //上网默认常规路由
ip route-static 192.168.10.0 255.255.255.0 192.168.20.2 //内部回包路由
ip route-static 192.168.100.0 255.255.255.0 192.168.20.2 //内部回包路由
ip route-static 192.168.200.0 255.255.255.0 192.168.20.2 //内部回包路由