Bowen outline:
- First, what policy applies?
- Second, H3C double outlet configuration.
(1) Configuration Easy_IP map
(2) PBR
(3) Configure NAT Server map
First, what policy applies?
On the H3C device, it comes with double outlet, then you can not avoid the concept of policy-based routing, policy routing what the hell is it?
It forwards different from the routing table based on the destination address of the IP packet, the routing strategy is a strategy based on user-defined mechanism for routing. PBR in the case of the routing table has been generated, is not forwarded according to the routing table, but is required to change its method of forwarding paths in accordance with a certain policy.
The routing policy is the operation target "routing" information, indirectly affecting the forwarding and filtering routing routes provided primarily by properties or parameters. PBR operation object is the "packet", mainly through the direct guidance of the policy to forward data set.
PBR is usually divided into two types: IP unicast policy routing and IP Multicast routing strategies.
Either unicast or multicast policy routing policy routing, configure it to work we need to do two things: First, what needs PBR message definitions; the second is for a specified route these messages, which can be achieved by a Route- policy definition to achieve.
Here mainly talk about unicast PBR, regarding multicast policy routing can refer to the document: IP multicast policy routing .
IP Unicast PBR can be divided into local policy routing and interface policy routing two kinds.
- Interface PBR: Configuration (applied on the interface packets arrive) in interface view, acting on the interface packets arrive.
- Local PBR: in the system configuration view of the locally generated packets PBR.
PBR can be used for the purpose of security, load balancing and so on. For the general needs of forwarding and security aspects, in most cases it is used interface policy routing.
Second, double outlet configuration H3C
By following a simulated network environment, configure the look PBR.
Network environment as follows:
Environmental Analysis:
The internal campus network topology is divided into two segments: one for students in the school segment (192.168.2.0), internet server to access the main provision of telecommunications; another segment for the teaching and campus office network segment (192.168. 3.0), the main access to education network. Campus network router connected to a fiber optic telecommunications internet20m provided, as well as a 20m fiber optic connection Education Network (due H3C simulator can not simulate the PC and server, so I had to use a router instead).
Requirements are as follows:
1) router configuration requirements: When any of an external fiber break, another fiber access network to back up its affiliated internet service or education network resources.
2) Nat requirements: two outlets exit router can simultaneously use a private network within the campus network access to external resources to do after nat. Education network egress interface is also equipped with nat server, the server ip teaching a segment inside the telnet access services to provide education network.
3) Policy Routing Configuration Requirements: teaching campus network access to external resources, mainly through a network segment 192.168.3.0/24 Education Network, and the main campus network segment 192.168.2.0/24 access the Internet through a telecommunications outlet. When the private network of fiber failure of education, school education network segment can access related resources by telecommunications outlet, when the fiber optic telecommunications line failure, the school network access related resources can be exported via private networks.
Start the configuration:
1, R2 router configuration is as follows (not related to the basic configuration of the Note):
<H3C>sys
[H3C]in g0/1
[H3C-GigabitEthernet0/1]ip add 222.222.222.1 30
[H3C-GigabitEthernet0/1]in g0/0
[H3C-GigabitEthernet0/0]ip add 202.202.202.1 30
[H3C-GigabitEthernet0/0]int loop 0
[H3C-LoopBack0]ip add 202.202.0.1 32
[H3C-LoopBack0]ospf 1 //配置OSPF
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]net 0.0.0.0 255.255.255.255
//该声明方式是将本设备的所有网段都声明一下2, R3 router configuration is as follows:
<H3C>sys
[H3C]in g0/1
[H3C-GigabitEthernet0/1]ip add 222.222.222.2 30
[H3C-GigabitEthernet0/1]in g0/0
[H3C-GigabitEthernet0/0]ip add 200.200.200.1 29
[H3C-GigabitEthernet0/0]in g0/2
[H3C-GigabitEthernet0/2]ip add 202.1.1.1 24
[H3C-GigabitEthernet0/2]quit
[H3C]ospf 1 //配置OSPF
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]net 0.0.0.0 255.255.255.2553, PC3 configured as follows:
[H3C]in g0/0
[H3C-GigabitEthernet0/0]ip add 202.1.1.2 24
[H3C-GigabitEthernet0/0]quit
[H3C]ip route 0.0.0.0 0.0.0.0 202.1.1.14, R1 router configuration is as follows:
[H3C]in g0/0
[H3C-GigabitEthernet0/0]ip add 202.202.202.2 30
[H3C-GigabitEthernet0/0]in g0/1
[H3C-GigabitEthernet0/1]ip add 200.200.200.2 29
[H3C-GigabitEthernet0/1]in vlan 1 //需要配置vlan的IP,将其当做G0/2的接口IP
[H3C-Vlan-interface1]ip add 192.168.1.1 24
[H3C-Vlan-interface1]in g0/2
[H3C-GigabitEthernet0/2]port link-mode bridge //将该接口改为网桥模式
//所有接口默认属于vlan1,所以相当于G0/2的接口IP已经是vlan 1的IP地址了
[H3C]ip route 192.168.2.0 24 192.168.1.2
[H3C]ip route 192.168.3.0 24 192.168.1.2
[H3C]ospf 1 //配置OSPF
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]net 202.202.202.0 0.0.0.3
[H3C-ospf-1-area-0.0.0.0]net 200.200.200.0 0.0.0.75, SW1 configured as follows:
[H3C]vlan 2 to 3 //创建vlan
[H3C]in vlan 1
[H3C-Vlan-interface1]ip add 192.168.1.2 24
[H3C-Vlan-interface1]in vlan 2
[H3C-Vlan-interface2]ip add 192.168.2.1 24
[H3C-Vlan-interface2]in vlan 3
[H3C-Vlan-interface3]ip add 192.168.3.1 24
//将接口添加到vlan中
[H3C-Vlan-interface3]in g1/0/2
[H3C-GigabitEthernet1/0/2]port link-type access
[H3C-GigabitEthernet1/0/2]port access vlan 2
[H3C-GigabitEthernet1/0/2]in g1/0/3
[H3C-GigabitEthernet1/0/3]port link-type access
[H3C-GigabitEthernet1/0/3]port access vlan 3
[H3C-GigabitEthernet1/0/3]in g1/0/4
[H3C-GigabitEthernet1/0/4]port link-type access
[H3C-GigabitEthernet1/0/4]port access vlan 3
[H3C]ip route 0.0.0.0 0.0.0.0 192.168.1.1 //配置一个到外网的默认路由6, PC1 configured as follows:
[H3C]in g0/0
[H3C-GigabitEthernet0/0]ip add 192.168.2.100 24
[H3C-GigabitEthernet0/0]ip route 0.0.0.0 0.0.0.0 192.168.2.1 //相当于配置默认网关
7, PC2 configured as follows:
[H3C]in g0/0
[H3C-GigabitEthernet0/0]ip add 192.168.3.100 24
[H3C-GigabitEthernet0/0]ip route 0.0.0.0 0.0.0.0 192.168.3.18. Server configuration is as follows:
[H3C]in g0/0
[H3C-GigabitEthernet0/0]ip add 192.168.3.250 24
[H3C-GigabitEthernet0/0]ip route 0.0.0.0 0.0.0.0 192.168.3.1After the above configuration, have Rl can ping PC3, PC1, PC2 and the server can communicate, but if ping ping nowhere outside the network, only ping to the address 192.168.1.1, ping public addresses are different, because not done nat map, and arranged Easy_IP mapping R1.
(1) Configuration mapping Easy_IP
1, the configuration Easy_IP R1:
//创建ACL
[H3C]acl basic 2001
[H3C-acl-ipv4-basic-2001]rule 0 per source 192.168.2.0 0.0.0.255
[H3C-acl-ipv4-basic-2001]rule 5 per source 192.168.3.0 0.0.0.255
[H3C-acl-ipv4-basic-2001]rule 10 deny
//将ACL应用到两个出接口上,匹配到ACL2001的,都进行nat转换
[H3C-acl-ipv4-basic-2001]in g0/0
[H3C-GigabitEthernet0/0]nat outbound 2001
[H3C-GigabitEthernet0/0]in g0/1
[H3C-GigabitEthernet0/1]nat outbound 2001
[H3C-GigabitEthernet0/1]quitAfter you configure NAT, we have achieved full network interoperability.
Test test ping pc3 on pc1:
Test test ping pc3 on pc2:
View nat conversion relationship on R1, view traffic separately from what the interface out.
<H3C>dis nat sess ver //可以看到下面生成了两个nat转换表,每个转换表又包含正向和反向
Slot 0:
Total sessions found: 0
<H3C>dis nat sess ver
Slot 0:
Initiator:
Source IP/port: 192.168.2.100/44032 //源地址是192.168.2.100
Destination IP/port: 202.1.1.2/2048 //目标地址是202.1.1.2
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.2/6 //202.1.1.2的返回流量
Destination IP/port: 200.200.200.2/0 //200.200.200.2接口进入内网
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1
State: ICMP_REPLY
Application: OTHER
Start time: 2019-08-10 02:18:54 TTL: 19s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.3.100/43008 //源地址是192.168.3.100
Destination IP/port: 202.1.1.2/2048 //目标地址是202.1.1.2
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.2/7 //202.1.1.2的返回流量
Destination IP/port: 200.200.200.2/0 //200.200.200.2接口进入内网
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1
State: ICMP_REPLY
Application: OTHER
Start time: 2019-08-10 02:19:00 TTL: 25s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2Now you can find all the traffic within the network is 200.200.200.2 from this interface out and return, that is 202.202.202.0 this link is in an idle state body, so now configure policy-based routing to achieve demand.
(2) PBR
//定义一个高级ACL,用来关联vlan 3的流量
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule 0 per ip sou
[H3C-acl-ipv4-adv-3000]rule 0 per ip source 192.168.3.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]quit
[H3C]policy-based-route al permit node 10 //配置策略路由
[H3C-pbr-al-10]if-match acl 3000 //如果匹配ACL 3000
[H3C-pbr-al-10]apply next-hop 202.202.202.1 //则下一跳指向202.202.202.1
[H3C-pbr-al-10]quit
[H3C]policy-based-route al per node 20 空节点,放行其他未匹配流量
[H3C-pbr-al-20]int vlan 1
[H3C-Vlan-interface1]ip policy-based-route al
//在此接口下应用路由策略,因为需要做策略路由的数据包都是从这个接口下转发过来的
[H3C-Vlan-interface1]quitUse self-PC1 and PC2 respectively to ping PC3, R1 and view the nat translation table:
[H3C-pbr-al-10]dis nat sess ver
Slot 0:
Total sessions found: 0
[H3C-pbr-al-10]dis nat sess ver
Slot 0:
Initiator:
Source IP/port: 192.168.2.100/46336
Destination IP/port: 202.1.1.1/2048
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.1/11
Destination IP/port: 200.200.200.2/0
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/1
State: ICMP_REPLY
Application: OTHER
Start time: 2019-08-10 02:34:56 TTL: 18s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.3.100/45056
Destination IP/port: 202.1.1.2/2048
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface1
Responder:
Source IP/port: 202.1.1.2/1
Destination IP/port: 202.202.202.2/0
DS-Lite tunnel peer: -
××× instance/VLAN ID/VLL ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
State: ICMP_REPLY
Application: OTHER
Start time: 2019-08-10 02:35:04 TTL: 27s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
OK, we can see that the policy route is valid, and is now close any interface G0 / 0 and G0 / 1 R1 router will not affect the communication network with the external network, self-test.
Let's start doing NAT Server, the PC3 can use Telnet to connect to the network server in the Server:
(3) Configure NAT Server mapping:
R1 disposed on nat server:
[H3C-GigabitEthernet0/0]in g0/1
[H3C-G0/1]nat server protocol tcp global 200.200.200.3 23 inside 192.168.3.250 23Configuring the Telnet Server:
[H3C]telnet server enable
[H3C]local-user admin //telnet登录时的用户名
New local user added.
[H3C-luser-manage-admin]password simple pwd123 //admin的密码
[H3C-luser-manage-admin]service-type telnet
[H3C-luser-manage-admin]authorization-attribute user-role level-15
[H3C-luser-manage-admin]quit
[H3C]user-interface vty 0
[H3C-line-vty0]authentication-mode scheme
[H3C-line-vty0]protocol inbound telnet
[H3C-line-vty0]quitverification:
You can see, enter the appropriate user name and password Telnet is successful, the Telnet log in, you can view the IP address of the current interface, to distinguish whether or not log on to the server.
-------- end of this article so far, thanks for reading --------