要求
客户需求:客户现网业务与其他单位互联,需要访问外联单位服务器,但是双方都需要隐藏自己内网IP地址,需要在外联AR上配置双向NAT实现需求。
参考案例:https://support.huawei.com/enterprise/zh/knowledge/EKB1001096125
拓扑结构
思路
1.对于外联单位来说,如果想隐藏AR3上的模拟服务器L0和L1的地址,需要在AR1上上联核心网的接口做目的地址转换,即地址映射
2.对于企业核心网访问外联单位AR3时,需要隐藏ip地址,需要在AR1上做源地址转换,转换为G0/0/2的出接口地址
配置
主核心交换
#
vlan batch 100 200 300
#
interface Vlanif100
ip address 1.1.0.129 255.255.255.240
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
ospf 1
area 0.0.0.0
network 1.1.0.128 0.0.0.15
#
备核心交换
#
vlan batch 100 200 300
#
interface Vlanif100
ip address 1.1.0.145 255.255.255.240
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
ospf 1
area 0.0.0.0
network 1.1.0.144 0.0.0.15
#
外联路由器AR1配置
#
acl number 2001
rule 5 permit
#
interface GigabitEthernet0/0/0 #做nat目的地址转换,映射两台服务器地址
ip address 1.1.0.132 255.255.255.240
nat server global 1.1.0.109 inside 12.1.2.1
nat server global 1.1.0.110 inside 1.1.5.10
#
interface GigabitEthernet0/0/1 #做nat目的地址转换,映射两台服务器地址
ip address 1.1.0.148 255.255.255.240
ospf cost 100 #手动配置接口ospf 开销值为100,使得流量走主核心
nat server global 1.1.0.109 inside 12.1.2.1
nat server global 1.1.0.110 inside 1.1.5.10
#
interface GigabitEthernet0/0/2 #做nat源地址转换,将从核心网过来的流量转换为出接口地址,达到隐藏核心网内网ip的目的
description TO_wailiandanwei
ip address 11.11.11.118 255.255.255.252
nat outbound 2001
#
ospf 1
import-route unr #需要导入UNR路由(用户网络路由,BAS里面普通用户通过PPOPE,DHCP获取到的路由,在BAS上都显示为UNR路由。)
area 0.0.0.0
network 1.1.0.132 0.0.0.0
network 1.1.0.148 0.0.0.0
#
ip route-static 1.1.5.10 255.255.255.255 11.11.11.117
ip route-static 12.1.2.1 255.255.255.255 11.11.11.117
#
AR3配置
#
interface GigabitEthernet0/0/0
ip address 11.11.11.117 255.255.255.252
#
ace LoopBack0
ip address 1.1.5.10 255.255.255.255
#
interface LoopBack1
ip address 12.1.2.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.118
#
测试,通过在核心交换上ping两台服务器地址,在AR3的上联接口抓包查看请求源地址
1.启用源地址转换时
可以看到icmp的请求源地址为AR1的出接口地址
2.关闭AR1上的源地址转换
这次看到icmp的源地址是核心网的地址,没有得到隐藏。
完善两台核心的MSTP及VRRP配置
核心主
#
vlan batch 100 200 300
#
stp instance 1 root primary #将交换机设置为stp实例1的master
stp instance 2 root secondary #将交换机设置为stp实例2的slave
#
stp region-configuration
region-name stp1
instance 1 vlan 200
instance 2 vlan 300
active region-configuration
#
interface Vlanif100
ip address 1.1.0.129 255.255.255.240
#
interface Vlanif200
ip address 192.168.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254 #在vlanif下设置vrrp虚拟ip为192.168.10.254
vrrp vrid 1 priority 120 #设置vrrp优先级为120,默认为100
vrrp vrid 1 preempt-mode timer delay 30 # 设置vrrp抢占延迟为30S
vrrp vrid 1 track interface g0/0/3 reduce 40 #配置vrrp监视端口为g0/0/3,当端口down时优先级下降40
#
interface Vlanif300
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.254 #在vlanif下设置vrrp虚拟ip为192.168.20.254
vrrp vrid 1 priority 100 #设置vrrp优先级为100
vrrp vrid 1 preempt-mode timer delay 30 # 设置vrrp抢占延迟为30S
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
ospf 1
orea 0.0.0.0
network 1.1.0.128 0.0.0.15
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
核心备
#
vlan batch 100 200 300
#
stp instance 1 root secondary #将交换机设置为stp实例1的slave
stp instance 2 root primary #将交换机设置为stp实例2的master
#
stp region-configuration
region-name stp1
instance 1 vlan 200
instance 2 vlan 300
active region-configuration
#
interface Vlanif100
ip address 1.1.0.145 255.255.255.240
#
interface Vlanif200
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254 #在vlanif下设置vrrp虚拟ip为192.168.10.254
vrrp vrid 1 priority 100 #设置vrrp优先级为100
vrrp vrid 1 preempt-mode timer delay 30 # 设置vrrp抢占延迟为30S
#
interface Vlanif300
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.254 #在vlanif下设置vrrp虚拟ip为192.168.20.254
vrrp vrid 1 priority 120 #设置vrrp优先级为120,默认100
vrrp vrid 1 preempt-mode timer delay 30 # 设置vrrp抢占延迟为30S
vrrp vrid 1 track interface g0/0/3 reduce 40 #配置vrrp监视端口
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
ospf 1
area 0.0.0.0
network 1.1.0.145 0.0.0.15
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
两台接入交换
#
vlan batch 200 300
#
stp region-configuration
region-name stp1
instance 1 vlan 200
instance 2 vlan 300
active region-configuration
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 200
VRRP状态
在PC上看arp表项,其中网关的mac地址为vrrp虚mac地址
VRRP中,虚拟MAC地址为:00-00-5E-00-01-{vrid}
在主核心上看vrrp状态
手动shutdonw端口g0/0/3后再次查看vrrp状态dis vrrp
在备核心上看vrrp状态
MSTP状态
主核心
作为实例1的根交换机,肯定不会有根端口出现在此实例中,在此实例中所有端口为指定端口
备核心
备核心作为实例2的根交换机,在实例2中所有接口为指定端口
两台接入交换的stp状态