组网见图片
全网路由打通,在MSR-2上ping 2.2.2.254
解读现场NAT配置后,流量的匹配过程;
#
nat address-group 1
address 2.2.2.3 2.2.2.3
#
nat address-group 2
address 2.2.2.4 2.2.2.4
#
# interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
# interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
# interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 2.2.2.1 255.255.255.0
nat outbound 3001 address-group 2
nat outbound 3000 address-group 1
#
# acl advanced 3000
rule 5 permit ip
# acl advanced 3001
rule 0 deny ip source 1.1.1.0 0.0.0.255
rule 5 permit ip
#
NAT outbound结合ACL的匹配优先级:
NAT【ACL name】>NAT【ACL number】>NAT
ACL name中:asci码在前的优先级高
ACL number中数字大的有限
情况一:按上面的配置,源地址是1.1.1.2的流量访问2.2.2.254,应该匹配上3001的rule 0直接拒接,然后匹配3000,出去源地址转换成2.2.2.3
情况二:去掉3001中的rule 5 ,结果和情况一一样;
情况三:如果把3001调整成:
# acl advanced 3001
rule 0 permit ip source 8.8.8.0 0.0.0.255
rule 5 deny ip
此时1.1.1.2访问2.2.2.254的icmp匹配不上3001的0 ,然后又被5拒绝,此时会命中3000做NAT
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作