天堂在线www天堂中文在线 ,成人电影免费看,美国十次啦怡红院

要求

客戶需求：客戶現網業務與其他單位互聯，需要訪問外聯單位服務器，但是雙方都需要隱藏自己內網IP地址，需要在外聯AR上配置雙向NAT實現需求。

參考案例：https://support.huawei.com/enterprise/zh/knowledge/EKB1001096125

拓撲結構

image.png

思路

1.對于外聯單位來說，如果想隱藏AR3上的模擬服務器L0和L1的地址，需要在AR1上上聯核心網的接口做目的地址轉換，即地址映射

2.對于企業核心網訪問外聯單位AR3時，需要隱藏ip地址，需要在AR1上做源地址轉換，轉換為G0/0/2的出接口地址

配置

主核心交換

#
vlan batch 100 200 300
#
interface Vlanif100
 ip address 1.1.0.129 255.255.255.240
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
ospf 1
 area 0.0.0.0
  network 1.1.0.128 0.0.0.15
#

備核心交換

#
vlan batch 100 200 300
#
interface Vlanif100
 ip address 1.1.0.145 255.255.255.240
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
ospf 1
 area 0.0.0.0
  network 1.1.0.144 0.0.0.15
#

外聯路由器AR1配置

#
acl number 2001  
 rule 5 permit 
#

interface GigabitEthernet0/0/0     #做nat目的地址轉換，映射兩臺服務器地址
 ip address 1.1.0.132 255.255.255.240 
 nat server global 1.1.0.109 inside 12.1.2.1
 nat server global 1.1.0.110 inside 1.1.5.10
#
interface GigabitEthernet0/0/1  #做nat目的地址轉換，映射兩臺服務器地址
 ip address 1.1.0.148 255.255.255.240 
 ospf cost 100              #手動配置接口ospf 開銷值為100，使得流量走主核心
 nat server global 1.1.0.109 inside 12.1.2.1
 nat server global 1.1.0.110 inside 1.1.5.10
#
interface GigabitEthernet0/0/2  #做nat源地址轉換，將從核心網過來的流量轉換為出接口地址，達到隱藏核心網內網ip的目的
 description TO_wailiandanwei
 ip address 11.11.11.118 255.255.255.252 
 nat outbound 2001
#
ospf 1 
 import-route unr    #需要導入UNR路由(用戶網絡路由，BAS里面普通用戶通過PPOPE，DHCP獲取到的路由，在BAS上都顯示為UNR路由。)
 area 0.0.0.0 
  network 1.1.0.132 0.0.0.0 
  network 1.1.0.148 0.0.0.0 
#
ip route-static 1.1.5.10 255.255.255.255 11.11.11.117    
ip route-static 12.1.2.1 255.255.255.255 11.11.11.117
#

AR3配置

#
interface GigabitEthernet0/0/0
 ip address 11.11.11.117 255.255.255.252 
#
ace LoopBack0
 ip address 1.1.5.10 255.255.255.255 
#
interface LoopBack1
 ip address 12.1.2.1 255.255.255.255 
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.118
#

測試，通過在核心交換上ping兩臺服務器地址，在AR3的上聯接口抓包查看請求源地址

1.啟用源地址轉換時

image.png

可以看到icmp的請求源地址為AR1的出接口地址

2.關閉AR1上的源地址轉換

image.png

這次看到icmp的源地址是核心網的地址，沒有得到隱藏。

完善兩臺核心的MSTP及VRRP配置

核心主

#
vlan batch 100 200 300
#
stp instance 1 root primary             #將交換機設置為stp實例1的master
stp instance 2 root secondary           #將交換機設置為stp實例2的slave
#
stp region-configuration
 region-name stp1
 instance 1 vlan 200
 instance 2 vlan 300
 active region-configuration
#
interface Vlanif100
 ip address 1.1.0.129 255.255.255.240
#
interface Vlanif200
 ip address 192.168.10.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254           #在vlanif下設置vrrp虛擬ip為192.168.10.254
 vrrp vrid 1 priority 120           #設置vrrp優先級為120，默認為100
 vrrp vrid 1 preempt-mode timer delay 30     # 設置vrrp搶占延遲為30S
 vrrp vrid 1 track interface g0/0/3  reduce 40     #配置vrrp監視端口為g0/0/3，當端口down時優先級下降40
#
interface Vlanif300
 ip address 192.168.20.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.20.254                   #在vlanif下設置vrrp虛擬ip為192.168.20.254
 vrrp vrid 1 priority 100          #設置vrrp優先級為100
 vrrp vrid 1 preempt-mode timer delay 30             # 設置vrrp搶占延遲為30S
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1
 orea 0.0.0.0
  network 1.1.0.128 0.0.0.15
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
#

核心備

#
vlan batch 100 200 300
#
stp instance 1 root secondary            #將交換機設置為stp實例1的slave
stp instance 2 root primary              #將交換機設置為stp實例2的master
#
stp region-configuration
 region-name stp1
 instance 1 vlan 200
 instance 2 vlan 300
 active region-configuration
#
interface Vlanif100
 ip address 1.1.0.145 255.255.255.240
#
interface Vlanif200
 ip address 192.168.10.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254           #在vlanif下設置vrrp虛擬ip為192.168.10.254
 vrrp vrid 1 priority 100                    #設置vrrp優先級為100
 vrrp vrid 1 preempt-mode timer delay 30     # 設置vrrp搶占延遲為30S
#
interface Vlanif300
 ip address 192.168.20.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.20.254                   #在vlanif下設置vrrp虛擬ip為192.168.20.254
 vrrp vrid 1 priority 120                           #設置vrrp優先級為120，默認100
 vrrp vrid 1 preempt-mode timer delay 30             # 設置vrrp搶占延遲為30S
 vrrp vrid 1 track interface g0/0/3 reduce 40       #配置vrrp監視端口
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1
 area 0.0.0.0
  network 1.1.0.145 0.0.0.15
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
#

兩臺接入交換

#
vlan batch 200 300
#
stp region-configuration
 region-name stp1
 instance 1 vlan 200
 instance 2 vlan 300
 active region-configuration
# 
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 200