1:實驗需求

公司擁有多個部門且位于不同網(wǎng)段，各部門均有訪問Internet的需求?，F(xiàn)要求用戶通過二層交換機和路由器訪問外部網(wǎng)絡，且要求路由器作為用戶的網(wǎng)關。

我們按照圖示的IP地址進行配置，最終的結(jié)果是PC1和PC2可以ping通公網(wǎng)地址192.169.1.2.

2:網(wǎng)絡拓補圖

這里多說一句哈，華為的ENSP模擬器有的路由器NAT配置了不生效，我在這里使用的是AR1220系列。

3：實驗過程

CORE

sy
Entersystemview,returnuserviewwithCtrl+Z.
[Huawei]undoinfo-centerenable
Info:Informationcenterisdisabled.
[Huawei]sysnameCORE
[CORE]vlanbatch23100//創(chuàng)建vlan23100備用
Info:Thisoperationmaytakeafewseconds.Pleasewaitforamoment...done.

[CORE]dhcpenable//全局使能DHCP
Info:Theoperationmaytakeafewseconds.Pleasewaitforamoment.done.

[CORE]interfaceVlanif2//進入vlanif接口配置IP，DHCP的方式是基于接口
[CORE-Vlanif2]ipaddress192.168.2.25424
[CORE-Vlanif2]dhcpselectinterface
[CORE-Vlanif2]quit

[CORE]interfaceVlanif3
[CORE-Vlanif3]ipadd192.168.3.25424
[CORE-Vlanif3]dhcpselectinterface
[CORE-Vlanif3]quit

[CORE]interfaceVlanif100
[CORE-Vlanif100]ipadd192.168.100.224
[CORE-Vlanif100]quit

[CORE]interfaceGigabitEthernet0/0/1//設置終端鏈路類型access
[CORE-GigabitEthernet0/0/1]portlink-typeaccess
[CORE-GigabitEthernet0/0/1]portdefaultvlan2
[CORE-GigabitEthernet0/0/1]quit

[CORE]interfaceGigabitEthernet0/0/2
[CORE-GigabitEthernet0/0/2]portlink-typeaccess
[CORE-GigabitEthernet0/0/2]portdefaultvlan3
[CORE-GigabitEthernet0/0/2]quit

[CORE]interfaceGigabitEthernet0/0/3//設置鏈路終端類型，設置為access,路由器才能識別，或者trunk端口設置PVID。
[CORE-GigabitEthernet0/0/3]portlink-typeaccess
[CORE-GigabitEthernet0/0/3]portdefaultvlan100
[CORE-GigabitEthernet0/0/3]quit

[CORE]iproute-static0.0.0.00.0.0.0192.168.100.1//寫一條默認路由，下一跳地址是對端的路由器

ROUTER

sy
system-view
Entersystemview,returnuserviewwithCtrl+Z.
[Huawei]undoinfo-centerenable
Info:Informationcenterisdisabled.
[Huawei]sysnameROUter

[ROUter]interfaceGigabitEthernet0/0/1//我們配置內(nèi)網(wǎng)的IP接口
[ROUter-GigabitEthernet0/0/1]ipadd192.168.100.124
[ROUter-GigabitEthernet0/0/1]quit

[ROUter]iproute-static192.168.0.016192.168.100.2//我們配置到內(nèi)網(wǎng)的回程路由，即192.168.X.X均可以匹配
[ROUter]iproute-static0.0.0.00.0.0.0192.169.1.2//設置一條默認路由去公網(wǎng)

[ROUter]interfaceGigabitEthernet0/0/0//配置公網(wǎng)的IP地址
[ROUter-GigabitEthernet0/0/0]ipaddress192.169.1.124
[ROUter-GigabitEthernet0/0/0]quit

[ROUter]acl2000//建基本ACL2000
[ROUter-acl-basic-2000]rulepermitsource192.168.0.00.0.255.255//允許192.168.X.X的網(wǎng)段
[ROUter-acl-basic-2000]quit

[ROUter]interfaceGigabitEthernet0/0/0//進入外網(wǎng)接口，調(diào)用acl2000
[ROUter-GigabitEthernet0/0/0]natoutbound2000//nat引用
[ROUter-GigabitEthernet0/0/0]quit


[ROUter]displaynatsessionall//這里我們可以看到NAT會話
NATSessionTableInformation:

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08890
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10259

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08888
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10257

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08889
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10258

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08887
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10256

Protocol:ICMP(1)
SrcAddrVpn:192.168.2.253
DestAddrVpn:192.169.1.2
TypeCodeIcmpId:08886
NAT-Info
NewSrcAddr:192.169.1.1
NewDestAddr:----
NewIcmpId:10255

公網(wǎng)路由器

sy
system-view//我們給它設置一個測試用的IP地址
[Huawei]interfaceGigabitEthernet0/0/0
[Huawei-GigabitEthernet0/0/0]ipadd192.169.1.224
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ping192.169.1.1//測試和公司公網(wǎng)IP的連通性
PING192.169.1.1:56databytes,pressCTRL_Ctobreak
Replyfrom192.169.1.1:bytes=56Sequence=1ttl=255time=90ms
Replyfrom192.169.1.1:bytes=56Sequence=2ttl=255time=20ms
Replyfrom192.169.1.1:bytes=56Sequence=3ttl=255time=30ms
Replyfrom192.169.1.1:bytes=56Sequence=4ttl=255time=30ms
Replyfrom192.169.1.1:bytes=56Sequence=5ttl=255time=20ms

---192.169.1.1pingstatistics---
5packet(s)transmitted
5packet(s)received
0.00%packetloss
round-tripmin/avg/max=20/38/90ms

[Huawei]

測試

我們使用PC1和PC2分別ping公網(wǎng)地址，如下圖所示

會話信息

審核編輯：劉清