雙向地址轉(zhuǎn)換實(shí)驗(yàn)(在此基礎(chǔ)上補(bǔ)完mstp及vrrp配置)

要求

客戶需求:客戶現(xiàn)網(wǎng)業(yè)務(wù)與其他單位互聯(lián),需要訪問(wèn)外聯(lián)單位服務(wù)器,但是雙方都需要隱藏自己內(nèi)網(wǎng)IP地址,需要在外聯(lián)AR上配置雙向NAT實(shí)現(xiàn)需求。

參考案例:https://support.huawei.com/enterprise/zh/knowledge/EKB1001096125

拓?fù)浣Y(jié)構(gòu)

image.png

思路

1.對(duì)于外聯(lián)單位來(lái)說(shuō),如果想隱藏AR3上的模擬服務(wù)器L0和L1的地址,需要在AR1上上聯(lián)核心網(wǎng)的接口做目的地址轉(zhuǎn)換,即地址映射

2.對(duì)于企業(yè)核心網(wǎng)訪問(wèn)外聯(lián)單位AR3時(shí),需要隱藏ip地址,需要在AR1上做源地址轉(zhuǎn)換,轉(zhuǎn)換為G0/0/2的出接口地址

配置

主核心交換

#
vlan batch 100 200 300
#
interface Vlanif100
 ip address 1.1.0.129 255.255.255.240
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
ospf 1
 area 0.0.0.0
  network 1.1.0.128 0.0.0.15
#

備核心交換

#
vlan batch 100 200 300
#
interface Vlanif100
 ip address 1.1.0.145 255.255.255.240
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
ospf 1
 area 0.0.0.0
  network 1.1.0.144 0.0.0.15
#

外聯(lián)路由器AR1配置

#
acl number 2001  
 rule 5 permit 
#

interface GigabitEthernet0/0/0     #做nat目的地址轉(zhuǎn)換,映射兩臺(tái)服務(wù)器地址
 ip address 1.1.0.132 255.255.255.240 
 nat server global 1.1.0.109 inside 12.1.2.1
 nat server global 1.1.0.110 inside 1.1.5.10
#
interface GigabitEthernet0/0/1  #做nat目的地址轉(zhuǎn)換,映射兩臺(tái)服務(wù)器地址
 ip address 1.1.0.148 255.255.255.240 
 ospf cost 100              #手動(dòng)配置接口ospf 開銷值為100,使得流量走主核心
 nat server global 1.1.0.109 inside 12.1.2.1
 nat server global 1.1.0.110 inside 1.1.5.10
#
interface GigabitEthernet0/0/2  #做nat源地址轉(zhuǎn)換,將從核心網(wǎng)過(guò)來(lái)的流量轉(zhuǎn)換為出接口地址,達(dá)到隱藏核心網(wǎng)內(nèi)網(wǎng)ip的目的
 description TO_wailiandanwei
 ip address 11.11.11.118 255.255.255.252 
 nat outbound 2001
#
ospf 1 
 import-route unr    #需要導(dǎo)入U(xiǎn)NR路由(用戶網(wǎng)絡(luò)路由,BAS里面普通用戶通過(guò)PPOPE,DHCP獲取到的路由,在BAS上都顯示為UNR路由。)
 area 0.0.0.0 
  network 1.1.0.132 0.0.0.0 
  network 1.1.0.148 0.0.0.0 
#
ip route-static 1.1.5.10 255.255.255.255 11.11.11.117    
ip route-static 12.1.2.1 255.255.255.255 11.11.11.117
#

AR3配置

#
interface GigabitEthernet0/0/0
 ip address 11.11.11.117 255.255.255.252 
#
ace LoopBack0
 ip address 1.1.5.10 255.255.255.255 
#
interface LoopBack1
 ip address 12.1.2.1 255.255.255.255 
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.118
#

測(cè)試,通過(guò)在核心交換上ping兩臺(tái)服務(wù)器地址,在AR3的上聯(lián)接口抓包查看請(qǐng)求源地址

1.啟用源地址轉(zhuǎn)換時(shí)

image.png

可以看到icmp的請(qǐng)求源地址為AR1的出接口地址

2.關(guān)閉AR1上的源地址轉(zhuǎn)換

image.png

這次看到icmp的源地址是核心網(wǎng)的地址,沒(méi)有得到隱藏。

完善兩臺(tái)核心的MSTP及VRRP配置

核心主

#
vlan batch 100 200 300
#
stp instance 1 root primary             #將交換機(jī)設(shè)置為stp實(shí)例1的master
stp instance 2 root secondary           #將交換機(jī)設(shè)置為stp實(shí)例2的slave
#
stp region-configuration
 region-name stp1
 instance 1 vlan 200
 instance 2 vlan 300
 active region-configuration
#
interface Vlanif100
 ip address 1.1.0.129 255.255.255.240
#
interface Vlanif200
 ip address 192.168.10.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254           #在vlanif下設(shè)置vrrp虛擬ip為192.168.10.254
 vrrp vrid 1 priority 120           #設(shè)置vrrp優(yōu)先級(jí)為120,默認(rèn)為100
 vrrp vrid 1 preempt-mode timer delay 30     # 設(shè)置vrrp搶占延遲為30S
 vrrp vrid 1 track interface g0/0/3  reduce 40     #配置vrrp監(jiān)視端口為g0/0/3,當(dāng)端口down時(shí)優(yōu)先級(jí)下降40
#
interface Vlanif300
 ip address 192.168.20.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.20.254                   #在vlanif下設(shè)置vrrp虛擬ip為192.168.20.254
 vrrp vrid 1 priority 100          #設(shè)置vrrp優(yōu)先級(jí)為100
 vrrp vrid 1 preempt-mode timer delay 30             # 設(shè)置vrrp搶占延遲為30S
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1
 orea 0.0.0.0
  network 1.1.0.128 0.0.0.15
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
#

核心備

#
vlan batch 100 200 300
#
stp instance 1 root secondary            #將交換機(jī)設(shè)置為stp實(shí)例1的slave
stp instance 2 root primary              #將交換機(jī)設(shè)置為stp實(shí)例2的master
#
stp region-configuration
 region-name stp1
 instance 1 vlan 200
 instance 2 vlan 300
 active region-configuration
#
interface Vlanif100
 ip address 1.1.0.145 255.255.255.240
#
interface Vlanif200
 ip address 192.168.10.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254           #在vlanif下設(shè)置vrrp虛擬ip為192.168.10.254
 vrrp vrid 1 priority 100                    #設(shè)置vrrp優(yōu)先級(jí)為100
 vrrp vrid 1 preempt-mode timer delay 30     # 設(shè)置vrrp搶占延遲為30S
#
interface Vlanif300
 ip address 192.168.20.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.20.254                   #在vlanif下設(shè)置vrrp虛擬ip為192.168.20.254
 vrrp vrid 1 priority 120                           #設(shè)置vrrp優(yōu)先級(jí)為120,默認(rèn)100
 vrrp vrid 1 preempt-mode timer delay 30             # 設(shè)置vrrp搶占延遲為30S
 vrrp vrid 1 track interface g0/0/3 reduce 40       #配置vrrp監(jiān)視端口
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1
 area 0.0.0.0
  network 1.1.0.145 0.0.0.15
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
#

兩臺(tái)接入交換

#
vlan batch 200 300
#
stp region-configuration
 region-name stp1
 instance 1 vlan 200
 instance 2 vlan 300
 active region-configuration
# 
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 200

VRRP狀態(tài)

在PC上看arp表項(xiàng),其中網(wǎng)關(guān)的mac地址為vrrp虛mac地址

VRRP中,虛擬MAC地址為:00-00-5E-00-01-{vrid}

image.png

在主核心上看vrrp狀態(tài)

image.png

手動(dòng)shutdonw端口g0/0/3后再次查看vrrp狀態(tài)dis vrrp

image.png

在備核心上看vrrp狀態(tài)

image.png

MSTP狀態(tài)

主核心

image.png

作為實(shí)例1的根交換機(jī),肯定不會(huì)有根端口出現(xiàn)在此實(shí)例中,在此實(shí)例中所有端口為指定端口

備核心

image.png

備核心作為實(shí)例2的根交換機(jī),在實(shí)例2中所有接口為指定端口

兩臺(tái)接入交換的stp狀態(tài)


image.png

image.png
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。