NE20路由器在某大学采用双出口方式
的典型应用案例
一、 组网:
要求:
1、两个出口分别连接教育网(CerNet)和电信(ChinaTel);
2、内网所有用户均使用教育网合法IP地址;
3、通过配置静态路由,所有国内流量走教育网出口E4/0/0,所有国际流量走电信出口E4/0/1;
4、内网部分网段只能走教育网出口,部分PC只能走电信出口;
5、走电信出口需要做NAT。
二、解决方法:
关键配置举例
1、策略路由:
acl number 2033
rule 0 permit source 202.204.115.126 0
rule 1 permit source 222.28.112.166 0
rule 2 permit source 202.204.116.101 0
rule 3 permit source 202.204.118.107 0
rule 4 permit source 202.204.125.83 0
rule 5 permit source 202.204.112.71 0
rule 6 permit source 202.204.115.68 0
rule 7 permit source 202.204.112.68 0
rule 8 permit source 202.204.112.69 0
rule 9 permit source 202.204.117.64 0
rule 10 permit source 202.204.112.66 0
rule 11 permit source 202.204.112.67 0
rule 12 permit source 202.204.115.67 0
rule 13 permit source 202.204.126.66 0
rule 14 permit source 202.204.120.69 0
rule 15 permit source 202.204.120.67 0
rule 16 permit source 202.204.112.72 0
rule 17 permit source 202.204.120.65 0
rule 18 permit source 202.204.112.63 0
rule 19 permit source 222.28.112.228 0
rule 20 permit source 202.204.115.46 0
rule 21 permit source 202.204.125.15 0
rule 22 permit source 202.204.112.13 0
rule 23 permit source 202.204.119.10 0
rule 24 permit source 202.204.114.253 0
rule 25 permit source 211.71.149.171 0
rule 26 permit source 202.204.115.222 0
rule 27 permit source 222.28.119.8 0
rule 28 permit source 202.204.125.188 0
rule 29 permit source 202.204.125.135 0
rule 30 deny 注①
acl number 2055
rule 0 permit source 202.204.112.105 0
rule 1 permit source 202.204.112.6 0
rule 2 permit source 202.204.112.7 0
rule 3 permit source 202.204.112.4 0
rule 4 permit source 202.204.112.5 0
rule 5 permit source 202.204.112.2 0
rule 6 permit source 202.204.112.3 0
rule 7 permit source 202.204.112.1 0
rule 8 permit source 202.204.112.10 0
rule 9 permit source 202.204.112.8 0
rule 10 permit source 202.204.112.9 0
rule 11 permit source 211.71.158.158 0
rule 12 permit source 202.204.112.214 0
rule 13 permit source 202.204.112.206 0
rule 14 permit source 202.204.112.11 0
rule 15 permit source 202.204.112.12 0
rule 16 permit source 202.204.112.13 0
rule 17 permit source 202.204.112.14 0
rule 18 permit source 202.204.112.15 0
rule 19 permit source 202.204.112.16 0
rule 20 permit source 202.204.116.0 0.0.0.255
rule 21 permit source 211.71.159.0 0.0.0.255
rule 22 deny 注②
#
traffic classifier 2 //定义一个流分类
if-match acl 2055 //匹配acl 2055
traffic classifier 1 //定义一个流分类
if-match acl 2033 //匹配acl 2033
#
traffic behavior 2 //定义一个流动作
remark ip-nexthop 172.30.79.17 output-interface Ethernet4/0/1 //定义流动作的内容为指定下一跳
traffic behavior 1 //定义一个流动作
remark ip-nexthop 202.112.5.229 output-interface Ethernet4/0/0 //定义流动作的内容为指定下一跳
#
qos policy 1 //定义一个QOS
classifier 1 behavior 1 //将流分类和流动作关联
classifier 2 behavior 2 //将流分类和流动作关联
#
interface Ethernet4/0/2
description connect to Internal Netwrok
ip address 202.204.112.65 255.255.255.0
qos apply policy 1 inbound //在入端口应用QOS
#
2、NAT配置:
#
nat address-group 0 219.239.106.1 219.239.106.254 mask 255.255.255.0 //定义地址池地址
#
acl number 2000 //定义acl
rule 0 permit source 202.204.112.0 0.0.15.255
rule 1 permit source 211.71.144.0 0.0.15.255
rule 2 permit source 222.28.112.0 0.0.15.255
rule 3 deny
interface Ethernet4/0/1
description connect to ChinaNet-FeiHua
ip address 172.30.79.18 255.255.255.252
nat outbound 2000 address-group 0 //在需要做nat的接口将acl和地址池关联
#
ip route-static 219.239.106.0 255.255.255.0 NULL0 注③ //将地址池地址指向黑洞路由
注①②目前的版本(VRP3.30-0330.12.NAT)在配置策略时需要注意一点:当存在两个(含)以上acl在一个端口下发时,配置deny规则会导致只有一个acl生效。注③如果地址池地址和接口地址不在同一网段,需要配置黑洞路由。
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作