The final effect: pc1 uses the AR3 bypass router on the public network to bypass the external network, and returns the packet to pc1 via the bypass AR3 router.
Core switch configuration:
[Huawei]dis current-configuration
sysname Huawei
vlan batch 10 20 100 200
dhcp enable
ip vpn-instance a //Define vpn instance a
ipv4-family
ip vpn-instance b //Define vpn instance b
ipv4-family
interface Vlanif10
ip binding vpn-instance a //Intranet associated vpn instance a
ip address 192.168.10.1 255.255.255.0
dhcp select interface
interface Vlanif20
ip binding vpn-instance b //Connect the egress route associated vpn instance b
ip address 192.168.20.2 255.255.255.0
interface Vlanif100
ip binding vpn-instance a //Connect with the bypass route to the intranet vpn instance a
ip address 192.168.100.2 255.255.255.0
interface Vlanif200
ip binding vpn-instance b //Connect to the bypass route and egress route vpn instance b
ip address 192.168.200.2 255.255.255.0
interface GigabitEthernet0/0/1 //Add the interface to vlan
port link-type access
port default vlan 10
interface GigabitEthernet0/0/2 //Connect the bypass routing interface to allow two vlan
ports link-type trunk
port trunk allow-pass vlan 100 200
interface GigabitEthernet0/0/3 //Connect to the egress router interface
port link-type access
port default vlan 20
ip route-static vpn-instance a 0.0.0.0 0.0.0.0 192.168.100.1
//This default is for intranet packets to be sent to the Internet to be exchanged and bypassed by the router vpn instance a
ip route-static vpn-instance b 0.0.0.0 0.0. 0.0 192.168.20.1
//Continue to send external network packets to vpn instance b default route
ip route-static vpn-instance b 192.168.10.0 255.255.255.0 192.168.200.1
//External network reverse packet routing
ip route-static vpn- instance b 192.168.100.0 255.255.255.0 192.168.200.1
//External network reverse packet routing
Side router configuration
interface GigabitEthernet0/0/0.100 //One-arm routing sub-interface connects to the intranet
dot1q termination vid 100
ip address 192.168.100.1 255.255.255.0
arp broadcast enable
interface GigabitEthernet0/0/0.200 //Single-arm routing sub-interface connects to egress routing
dot1q termination vid 200
ip address 192.168.200.1 255.255.255.0
arp broadcast enable
ip route-static 0.0.0.0 0.0.0.0 192.168.200.2
//Default route for internal computers to access the public network
ip route-static 192.168.10.0 255.255.255.0 192.168.100.2
//External network return route
Egress router configuration:
acl number 2000 //Match Internet traffic
rule 15 permit source 192.168.0.0 0.0.255.255
interface GigabitEthernet0/0/0 //External network port
ip address 1.1.1.1 255.255.255.0
nat outbound 2000
interface GigabitEthernet0/0/1 //Connect to the internal network port
ip address 192.168.20.1 255.255.255.0
IP Route-Static 0.0.0.0 0.0.0.0 1.1.1.2 // The Internet default conventional routing
IP Route-Static 192.168.10.0 255.255.255.0 192.168.20.2 // Internal
IP Route-Static 192.168.100.0 255 .255.255.0 192.168. 20.2 //Internal return routing
ip route-static 192.168.200.0 255.255.255.0 192.168.20.2 //Internal return routing