Simple example of Huawei policy routing/GRE/NAT

Enterprise 2023-07-12 02:44:11 views: null

demand background

Requirement 1: The head office has director office network and employee network, and has two export lines, among which 1.1.1.2 is China Telecom's 1Gbps high-speed line, and 2.2.2.2 is China Mobile's 100Mbps dedicated line low-speed link. The company hopes that the director's office 192.168.1.0 /24 can always use the 1Gbps dedicated line, while the employees take the China Mobile 100Mpbs dedicated line;

Idea: Use policy routing to filter intranet traffic, IP redirection, customize the public network egress, and use NAT technology for IP address translation, so that the internal network IP can use the public network IP to access the Internet;

Requirement 2: The head office and the branch office need to communicate directly on the intranet, and the intranet can access each other. The company hopes to establish a VPN GRE tunnel to enable the internal network of the head office and the branch office to communicate;

Idea: The egress routers of the head office and the branch office deploy GRE tunnels to communicate with each other on the intranet;

Network topology map

Step 1: Connect the basic network devices so that they can access each other

LSW1

<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center en
Info: Information center is disabled.
[Huawei]sysname LSW1	
[LSW1]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.	
[LSW1]vlan batch  10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.

[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip address  10.1.1.2 24
[LSW1-Vlanif10]quit

[LSW1]interface Vlanif 20
[LSW1-Vlanif20]ip address 192.168.1.1 24
[LSW1-Vlanif20]dhcp se in
[LSW1-Vlanif20]quit
	
[LSW1]interface Vlanif 30
[LSW1-Vlanif30]ip address  192.168.2.1 24
[LSW1-Vlanif30]dhcp select interface 
[LSW1-Vlanif30]quit

[LSW1]interface GigabitEthernet 0/0/1	
[LSW1-GigabitEthernet0/0/1]port link-type access 
[LSW1-GigabitEthernet0/0/1]port default vlan 10
[LSW1-GigabitEthernet0/0/1]quit

[LSW1]interface GigabitEthernet 0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type access 
[LSW1-GigabitEthernet0/0/3]port default vlan 20
[LSW1-GigabitEthernet0/0/3]stp edged-port enable 
[LSW1-GigabitEthernet0/0/3]quit

[LSW1]interface GigabitEthernet 0/0/4	
[LSW1-GigabitEthernet0/0/4]port link-type access 	
[LSW1-GigabitEthernet0/0/4]port default vlan 30
[LSW1-GigabitEthernet0/0/4]stp edged-port enable 
[LSW1-GigabitEthernet0/0/4]quit
[LSW1]
[LSW1]
[LSW1]ospf 1	
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network  192.168.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network  192.168.2.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network  10.1.1.2 0.0.0.0
[LSW1-ospf-1-area-0.0.0.0]quit
[LSW1-ospf-1]quit
[LSW1]
[LSW1]ip route-static 0.0.0.0 0 10.1.1.1  //配置一条默认路由,数据包都发往路由器网关

AR1【headquarters router】

The device is running!

<Huawei>sy
Enter system view, return user view with Ctrl+Z.	
[Huawei]undo  info-center e
Info: Information center is disabled.
[Huawei]sys	
[Huawei]sysname AR1

[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 10.1.1.1 24
[AR1-GigabitEthernet0/0/0]quit	
[AR1]ospf 1
[AR1-ospf-1]area  0 
[AR1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]quit
[AR1-ospf-1]quit
//打通内部网络,并且查看路由表,对获得IP的客户端进行ping操作,测试正常

配置公网IP
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address  1.1.1.2 24
[AR1-GigabitEthernet0/0/1]quit

[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address  2.2.2.2 24
[AR1-GigabitEthernet0/0/2]quit
[AR1]

AR6【Branch Router】

[Huawei]sysname AR6
[AR6]undo  info-center enable 
Info: Information center is disabled.
[AR6]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[AR6]int	
[AR6]interface g	
[AR6]interface GigabitEthernet 0/0/1
[AR6-GigabitEthernet0/0/1]ip address 172.16.1.1 24
[AR6-GigabitEthernet0/0/1]dhcp  select interface 
[AR6-GigabitEthernet0/0/1]quit
//配置分公司内部网络


配置公网IP 	
[AR6]interface GigabitEthernet 0/0/0
[AR6-GigabitEthernet0/0/0]ip address  100.1.1.2 24
[AR6-GigabitEthernet0/0/0]quit
[AR6]

Open up the network for the operator's equipment and simulate the operator. The code is ignored here and will not be displayed. Here I use the OSPF protocol to make the public network IP accessible.

Requirement 1 Experiment code [headquarters]

//使用ACL将内网2个网段匹配出来
[AR1]acl 3000
[AR1-acl-adv-3000]rule  permit ip source 192.168.1.0 0.0.0.255
[AR1-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255
[AR1-acl-adv-3000]quit



//写两条默认路由到公网,使得到2出公网都可达
[AR1]ip route-static 0.0.0.0 0  1.1.1.1 
[AR1]ip route-static 0.0.0.0 0 2.2.2.1

//两个接口下分别配置EasyNat实现内网访问公网需求
[AR1]interface GigabitEthernet 0/0/1	
[AR1-GigabitEthernet0/0/1]nat outbound 3000
[AR1-GigabitEthernet0/0/1]quit

[AR1]interface GigabitEthernet 0/0/2	
[AR1-GigabitEthernet0/0/2]nat outbound 3000
[AR1-GigabitEthernet0/0/2]quit
[AR1]

[AR1]traffic classifier dongshi operator or //创建董事办流分类
[AR1-classifier-dongshi]if-match acl 3001 //如果匹配董事办网段
[AR1-classifier-dongshi]quit
[AR1]traffic behavior dongshi //定义流行为
[AR1-behavior-dongshi]redirect ip-nexthop 1.1.1.1 //重定向下一跳为中国电信高速链路
[AR1-behavior-dongshi]quit

[AR1]traffic classifier yuangon operator or
[AR1-classifier-yuangon]if-match acl 3002
[AR1-classifier-yuangon]quit
[AR1]traffic behavior yuangon
[AR1-behavior-yuangon]redirect ip-nexthop 2.2.2.1//重定向下一跳为中国移动低速链路
[AR1-behavior-yuangon]quit

[AR1]traffic policy company   //创建“company”流策略
[AR1-trafficpolicy-company]classifier dongshi behavior dongshi //应用董事办策略
[AR1-trafficpolicy-company]classifier yuangon behavior yuangon //应用员工网策略
[AR1-trafficpolicy-company]quit


[AR1]interface GigabitEthernet 0/0/0//在该接口下对流入的内网流量应用流策略
[AR1-GigabitEthernet0/0/0]traffic-policy company inbound 
[AR1-GigabitEthernet0/0/0]quit
[AR1]
<AR1>
备注:重定向IP的时候,千万不要写错下一跳IP地址,不然不会生效

Requirement 1 test:

PC1 test

应用策略之前,走了移动低速链路
PC>tracert 3.3.3.1

traceroute to 3.3.3.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  192.168.1.1   31 ms  15 ms  32 ms
 2    *  *  *
 3  2.2.2.1   47 ms  46 ms  63 ms
 4  5.5.5.2   62 ms  32 ms  47 ms
 5  4.4.4.1   78 ms  62 ms  63 ms
 6  3.3.3.1   93 ms  63 ms  62 ms


应用策略之后,走了电信高速链路
PC>
PC>
PC>tracert 3.3.3.1

traceroute to 3.3.3.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  192.168.1.1   32 ms  15 ms  31 ms
 2    *  *  *
 3  3.3.3.1   63 ms  62 ms  47 ms
//备注:因为3.3.3.1和1.1.1.1是同一台设备,所以此处的确走了出口IP:1.1.1.1

PC2 test

应用流策略之前,员工网络走了电信高速路径


PC>tracert 1.1.1.1

traceroute to 1.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  192.168.2.1   16 ms  15 ms  32 ms
 2    *  *  *
 3  1.1.1.1   31 ms  47 ms  47 ms




应用流策略之后,不论公网哪个IP地址,都走了下面的低速链路
PC>
PC>tracert 1.1.1.1

traceroute to 1.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  192.168.2.1   32 ms  15 ms  32 ms
 2    *  *  *
 3  2.2.2.1   46 ms  47 ms  47 ms
 4  5.5.5.2   63 ms  47 ms  78 ms
 5  4.4.4.1   62 ms  63 ms  78 ms
 6  1.1.1.1   62 ms  63 ms  78 ms

Branch Intranet PC Access to Extranet Requirements


[AR6]ip route-static 0.0.0.0  0 100.1.1.1
[AR6]acl 3000
[AR6-acl-adv-3000]rule  permit  ip source 172.16.1.0 0.0.0.255
[AR6-acl-adv-3000]quit
	
[AR6]interface GigabitEthernet 0/0/0	
[AR6-GigabitEthernet0/0/0]nat outbound 3000
[AR6-GigabitEthernet0/0/0]quit
[AR6]
[AR6]





分公司PC测试ping公网任意IP地址可达,证明OK

PC>ping 4.4.4.4

Ping 4.4.4.4: 32 data bytes, Press Ctrl_C to break
Request timeout!

--- 4.4.4.4 ping statistics ---
  2 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

PC>ping 4.4.4.1

Ping 4.4.4.1: 32 data bytes, Press Ctrl_C to break
From 4.4.4.1: bytes=32 seq=1 ttl=253 time=31 ms
From 4.4.4.1: bytes=32 seq=2 ttl=253 time=31 ms
From 4.4.4.1: bytes=32 seq=3 ttl=253 time=16 ms
From 4.4.4.1: bytes=32 seq=4 ttl=253 time=31 ms
From 4.4.4.1: bytes=32 seq=5 ttl=253 time=31 ms

--- 4.4.4.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 16/28/31 ms

PC>ping 1.1.1.1

Ping 1.1.1.1: 32 data bytes, Press Ctrl_C to break
From 1.1.1.1: bytes=32 seq=1 ttl=252 time=32 ms
From 1.1.1.1: bytes=32 seq=2 ttl=252 time=31 ms
From 1.1.1.1: bytes=32 seq=3 ttl=252 time=31 ms
From 1.1.1.1: bytes=32 seq=4 ttl=252 time=31 ms
From 1.1.1.1: bytes=32 seq=5 ttl=252 time=16 ms

--- 1.1.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 16/28/32 ms

PC>

Requirement 2 experimental code

 

总公司路由器设置,写静态路由,去往172.16.1.0的路由,从tunnel隧道发出

#
interface Tunnel0/0/0
 ip address 192.168.100.1 255.255.255.0 
 tunnel-protocol gre
 source 1.1.1.2
 destination 100.1.1.2
#
ip route-static 172.16.1.0 255.255.255.0 Tunnel0/0/0
#



分公司路由器设置,使用静态路由进行互访
#
interface Tunnel0/0/0
 ip address 192.168.100.2 255.255.255.0 
 tunnel-protocol gre
 source 100.1.1.2
 destination 1.1.1.2
#
ip route-static 192.168.1.0 255.255.255.0 Tunnel0/0/0
ip route-static 192.168.2.0 255.255.255.0 Tunnel0/0/0




=====================================================================================
2个客户端ping测试
总公司PC1
PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe47:2689
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.1
Physical address..................: 54-89-98-47-26-89
DNS server........................:

PC>ping 172.16.1.254

Ping 172.16.1.254: 32 data bytes, Press Ctrl_C to break
From 172.16.1.254: bytes=32 seq=1 ttl=125 time=78 ms
From 172.16.1.254: bytes=32 seq=2 ttl=125 time=62 ms
From 172.16.1.254: bytes=32 seq=3 ttl=125 time=78 ms
From 172.16.1.254: bytes=32 seq=4 ttl=125 time=63 ms
From 172.16.1.254: bytes=32 seq=5 ttl=125 time=62 ms

--- 172.16.1.254 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 62/68/78 ms

PC>
=====================================================================================
分公司路由器

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe5d:62fe
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 172.16.1.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 172.16.1.1
Physical address..................: 54-89-98-5D-62-FE
DNS server........................:

PC>
PC>PING 192.168.1.254

Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.1.254: bytes=32 seq=2 ttl=125 time=78 ms
From 192.168.1.254: bytes=32 seq=3 ttl=125 time=63 ms
From 192.168.1.254: bytes=32 seq=4 ttl=125 time=78 ms
From 192.168.1.254: bytes=32 seq=5 ttl=125 time=78 ms

--- 192.168.1.254 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/74/78 ms

PC>

 

Guess you like

Origin blog.csdn.net/NeverGUM/article/details/113064367
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com