测试拓扑图:
组网需求:
规划核心业务系统和数据中心的流量从专线出去(也就是VLAN 100和VLAN 201网段),上网流量走PPPOE线路出去(也就是VLAN 112和VLAN 113网段)。将VLAN 100核心业务区的HTTP服务器和数据中心的HTTP服务器发布到外网,允许外网用户能访问到内网的HTTP服务器,同时要求VLAN 112和VLAN 113的内网用户也能以公网IP访问HTTP服务。
配置思路:
- 策略路由。规划核心业务系统和数据中心从专线出去,在R1上做策略路由并将策略路由应用到R1的GE 0/0/1内网口上,配置下一跳地址为202.100.99.2,并在R1的外网口配置源NAT,允许VLAN 100和201可以访问Internet。上网流量走PPPOE,在interface Dialer下做源nat,让VLAN 112和113的网段可以上网,在R1配置默认路由(0.0.0.0)下一跳为Dialer1。
- NAT策略。 在R1的外网口上做NAT Server上。同时为了能让内网用户通过公网IP访问HTTP服务器,在GE 0/0/1内网口做域内NAT+NAT Server(双向NAT),服务器映射关系如下:
NAT 映射关系 内网IP 公网IP 内网端口 外网端口 备注 172.21.100.80 202.100.99.55 80 80 在R1 GE0/0/0端口下 172.16.201.80 202.100.99.56 80 80 在R1 GE0/0/0端口下 域内NAT 内网IP 公网IP(GE 0/0/0) 内网端口 外网端口 备注 172.21.100.80 202.100.99.55 80 80 在R1 GE0/0/1端口下 172.16.201.80 202.100.99.56 80 80 在R1 GE0/0/1端口下 - ACL规划。主要是ACL 3002的规则配置思路。在没有做策略路由之前,VLAN 112和VLAN 113的用户都可以通过公网IP访问HTTP服务器。但是做了策略路由之后,二者均不可访问。原因是配置了VLAN 100和201的流量被策略路由匹配上,并直接转发到下一跳202.100.99.2。比如从VLAN 112网段的用户web112想要访问http://202.100.99.56,经过GE 0/0/1并做了NAT转化后,源IP地址和目标IP地址变为10.1.1.2和172.16.201.80,当目标服务器接收到10.1.1.2(R1上的内网口IP)后,将会对数据包进行回应。但是由于策略路由已定义从172.16.201.0网段出来的数据,将被直接转发到外网202.100.99.2,所以导致web112无法与HTTP服务器完成TCP三次握手,访问失败。所以ACL 3002规则是将HTTP服务器从源10.1.1.2和目标10.1.1.2的出去的流量不执行策略路由处理,即使用静态路由进行处理,R1上有172.21.0.0 0.0.255.255 1.1.1.1的静态路由。从而实现内网PC可以通过公网IP访问HTTP服务器。通过命令display nat session all查看会话如下:
[R1]dis nat session all
Protocol : TCP(6)
SrcAddr Port Vpn : 172.21.112.22 3336
DestAddr Port Vpn : 202.100.99.56 20480
NAT-Info
New SrcAddr : 10.1.1.2
New SrcPort : 10258
New DestAddr : 172.16.201.80
New DestPort : 20480Protocol : TCP(6)
SrcAddr Port Vpn : 172.21.113.22 2824
DestAddr Port Vpn : 202.100.99.56 20480
NAT-Info
New SrcAddr : 10.1.1.2
New SrcPort : 10257
New DestAddr : 172.16.201.80
New DestPort : 20480 -
ACL配置如下:
#指定策略路由感兴趣流量 acl number 2000 description server-PBR rule 15 permit source 172.16.201.0 0.0.0.255 rule 20 permit source 172.21.100.0 0.0.0.255 #创建通过PPPOE上网的流量 acl number 2001 description permit-pcnat-pppoe rule 5 permit source 172.21.112.0 0.0.0.255 rule 10 permit source 172.21.113.0 0.0.0.255 #创建域内NAT的流量 acl number 2002 description source-NAT rule 5 permit source 172.21.100.0 0.0.0.255 rule 10 permit source 172.21.112.0 0.0.0.255 rule 15 permit source 172.21.113.0 0.0.0.255 rule 20 permit source 172.16.201.0 0.0.0.255 #创建不执行策略路由的流量(重点!!!) acl number 3002 description NO-PBR NAT rule 5 permit ip source 10.1.1.2 0 destination 172.16.201.80 0 rule 6 permit ip source 10.1.1.2 0 destination 172.21.100.80 0 rule 25 permit ip source 172.16.201.80 0 destination 10.1.1.2 0 rule 27 permit ip source 172.21.100.80 0 destination 10.1.1.2 0
ACL访问控制列表配置:
#
acl number 2000
description server-PBR
rule 15 permit source 172.16.201.0 0.0.0.255
rule 20 permit source 172.21.100.0 0.0.0.255
acl number 2001
description permit-pcnat-pppoe
rule 5 permit source 172.21.112.0 0.0.0.255
rule 10 permit source 172.21.113.0 0.0.0.255
acl number 2002
description source-NAT
rule 5 permit source 172.21.100.0 0.0.0.255
rule 10 permit source 172.21.112.0 0.0.0.255
rule 15 permit source 172.21.113.0 0.0.0.255
rule 20 permit source 172.16.201.0 0.0.0.255
#
acl number 3002
description NO-PBR NAT
rule 5 permit ip source 10.1.1.2 0 destination 172.16.201.80 0
rule 6 permit ip source 10.1.1.2 0 destination 172.21.100.80 0
rule 25 permit ip source 172.16.201.80 0 destination 10.1.1.2 0
rule 27 permit ip source 172.21.100.80 0 destination 10.1.1.2 0
#
策略路由配置:
#
traffic classifier server-policy operator or
if-match acl 2000
traffic classifier no-policy operator or
if-match acl 3002
#
traffic behavior server-policy-b1
redirect ip-nexthop 202.100.99.2
traffic behavior no-policy-b1
#
traffic policy server2-policy
classifier no-policy behavior no-policy-b1
classifier server-policy behavior server-policy-b1
#
PPPOE 客户端配置:
#
interface Dialer1
link-protocol ppp
ppp chap user test
ppp chap password cipher %$%$6VUfY9bEj7QM@BX#Y>72,7S#%$%$
ip address ppp-negotiate
dialer user test
dialer bundle 1
dialer-group 1
nat outbound 2001
#
dialer-rule
dialer-rule 1 ip permit
#
接口配置:
#
interface GigabitEthernet0/0/0
description ISP
ip address 202.100.99.1 255.255.255.0
nat server protocol tcp global 202.100.99.55 www inside 172.21.100.80 www
nat server protocol tcp global 202.100.99.56 www inside 172.16.201.80 www
nat outbound 2000
#
interface GigabitEthernet0/0/1
description SW2
ip address 10.1.1.2 255.255.255.0
traffic-policy server2-policy inbound
nat server protocol tcp global 202.100.99.55 www inside 172.21.100.80 www
nat server protocol tcp global 202.100.99.56 www inside 172.16.201.80 www
nat outbound 2002
#
interface GigabitEthernet0/0/2
pppoe-client dial-bundle-number 1
description PPPOE-SERVER
#
静态路由配置:
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 1.1.1.0 255.255.255.0 10.1.1.1
ip route-static 172.16.0.0 255.255.0.0 10.1.1.1
ip route-static 172.21.0.0 255.255.0.0 10.1.1.1
#
测试:
查看IP地址:
测试http服务器访问
测试ping 访问
VLAN112 113流量从PPPOE拨号线路走,8.8.8.8是PPPOE SERVER上的LP口IP地址。VLAN 100和201流量是从专线线路走,23.1.1.2是外网web用户的IP地址。
发现 PC112和PC113不能访问23.1.1.2,同样PC100不能访问8.8.8.8
PPPOE SERVER配置:
配置IP POOL :
#
dhcp enable
#
ip pool server
gateway-list 12.1.1.254
network 12.1.1.0 mask 255.255.255.0
dns-list 8.8.8.8 12.1.1.254
#
ip pool pppoe
#
AAA配置:
#
aaa
local-user test password cipher %$%$^}W4J6!-O!W4]h(6.&'7kd)F%$%$
local-user test service-type ppp
#
Virtual-Template配置:
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool server
ip address 12.1.1.254 255.255.255.0
#
接口配置
#
interface LoopBack1
ip address 8.8.8.8 255.255.255.0
#
在R1上执行命令:display ip interface brief,查看是否从PPPOE SERVER上获取到了IP地址
<R1>display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
Dialer1 12.1.1.253/32 up up(s)
GigabitEthernet0/0/0 202.100.99.1/24 up up
GigabitEthernet0/0/1 10.1.1.2/24 up up
GigabitEthernet0/0/2 unassigned up down
NULL0 unassigned up up(s)
ISP配置(用于模拟Internet)
创建 VLAN:
#
vlan batch 2
#
接口配置:
#
interface Vlanif2
ip address 10.1.2.1 255.255.255.0
#
interface Ethernet0/0/0
port link-type access
port default vlan 2
#
#
interface GigabitEthernet0/0/0
ip address 202.100.99.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 23.1.1.1 255.255.255.0
#
静态路由配置:
#
ip route-static 0.0.0.0 0.0.0.0 202.100.99.1
#