问题描述:
内网分着多个vlan对应多个网段,比如172.16.3.0网段用出口g1/0/3的10.153.247.23上网,172.16.4.0网段用出口g1/0/3的10.153.247.24上网。 等等以此类推。不太会调。原先内网所有地址段都是通过g1/0/3接口的一个ip地址上网的,现在想分开上网。各位大神帮忙给看着,谢谢大家。
<F100-C60>sys
System View: return to User View with Ctrl+Z.
[F100-C60]dis cur
#
version 7.1.064, Release 9510P06
#
sysname F100-C60
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
nat address-group 0 name 外网地址
#
nat address-group 1 name 3楼
address 10.153.247.23 10.153.247.23
#
nat address-group 10 name 其他服务器
address 10.153.247.32 10.153.247.32
#
nat address-group 2 name 13楼
address 10.153.247.24 10.153.247.24
#
nat address-group 3 name 16f
address 10.153.247.25 10.153.247.25
#
nat address-group 4 name 17f
address 10.153.247.26 10.153.247.26
#
nat address-group 5 name 18f
address 10.153.247.27 10.153.247.27
#
nat address-group 6 name 19f
address 10.153.247.28 10.153.247.28
#
nat address-group 7 name 20f
address 10.153.247.29 10.153.247.29
#
nat address-group 8 name 21f
address 10.153.247.30 10.153.247.30
#
nat address-group 9 name 22f
address 10.153.247.31 10.153.247.31
#
password-recovery enable
#
vlan 1
#
object-group ip address 13f-vlan13
0 network subnet 172.16.13.0 255.255.255.0
#
object-group ip address 16f-vlan16
0 network subnet 172.16.16.0 255.255.255.0
#
object-group ip address 17f-vlan17
0 network subnet 172.16.17.0 255.255.255.0
#
object-group ip address 18f-vlan18
0 network subnet 172.16.18.0 255.255.255.0
#
object-group ip address 19f-vlan19
0 network subnet 172.16.19.0 255.255.255.0
#
object-group ip address 20f-vlan20
0 network subnet 172.16.20.0 255.255.255.0
#
object-group ip address 21f-vlan21
0 network subnet 172.16.21.0 255.255.255.0
#
object-group ip address 22f-vlan22
0 network subnet 172.16.22.0 255.255.255.0
#
object-group ip address 3f-vlan3
0 network subnet 172.16.3.0 255.255.255.0
#
object-group ip address qita-vlan201
0 network subnet 172.16.201.0 255.255.255.0
#
policy-based-route aa permit node 1
if-match acl 2001
apply next-hop 10.153.247.1
#
interface Dialer1
ppp chap password cipher $c$3$t3x0FccykdDjbNeLiwTh+GmXbTgYWWwI7g==
ppp chap user wfcll004324
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user wfcll004324 password cipher $c$3$q2VOoc3nIaf1LTEb1fyreN56Ecc
BX5DIoQ==
dialer bundle enable
dialer-group 1
dialer timer idle 0
ip address ppp-negotiate
tcp mss 1024
nat outbound
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
description zhengfuwangzhihuiban
ip address 10.153.247.22 255.255.255.0
nat outbound
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
duplex full
speed 1000
ip address 172.16.200.254 255.255.255.0
ip policy-based-route aa
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass
#
object-policy ip Untrust-Local
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/7
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer1
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer1 preference 70
ip route-static 0.0.0.0 0 10.153.247.1
ip route-static 172.16.3.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.13.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.16.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.17.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.18.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.19.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.20.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.21.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.22.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.201.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.16.202.0 24 GigabitEthernet1/0/7 172.16.200.253
ip route-static 172.17.98.0 24 172.16.200.253
#
ssh server enable
#
acl basic 2001
rule 0 permit source 172.16.3.0 0.0.0.255
rule 5 permit source 172.16.18.0 0.0.0.255
rule 10 permit source 172.16.19.0 0.0.0.255
rule 13 permit source 172.16.13.0 0.0.0.255
rule 15 permit source 172.16.20.0 0.0.0.255
rule 20 permit source 172.16.17.0 0.0.0.255
rule 25 permit source 172.16.201.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$ZS1+jZdTjk279k5K$e+86x+0RkdQsNMzh8evyXGjrWNjj4TkazvLnJ3Agtzs
L5LHXM6DHGK5rEbLJ4TmWK9g4NWmxXpFQJqkuBR8YXw==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user tzgs class manage
password hash $h$6$5GvLhjqxmFGeJOEp$DARj5nCBI1mdAmGWdyCZs+abL6Y6mwqbn8okEmanbc9
Njuv/aQznn43Qp1bFp5vxdjZtk0sQ6hyiFYav/o45IA==
service-type ssh telnet terminal http https
authorization-attribute work-directory slot1#flash:
authorization-attribute user-role context-admin
authorization-attribute user-role network-operator
#
ip https enable
#
return
[F100-C60]
- 2021-09-11提问
- 举报
-
(0)
最佳答案
策略路由可以实现配制方法可以参考知了案例:
- 2021-09-11回答
- 评论(2)
- 举报
-
(0)
你好老师,出接口上多个固定ip如何实现内网指定网段走同一出接口的不同ip地址。
我这里出接口有多个地址,想实现内网不同vlan地址段,走同一出接口的不同处接口ip
可以配置策略路由实现特定网段走特定出口。
以下是配置举例:
1.6.4 基于报文源地址的转发策略路由配置举例
1. 组网需求
Router A分别与Router B和Router C直连(保证Router B和Router C之间路由完全不可达)。通过策略路由控制从Router A的以太网接口GigabitEthernet1/0/1接收的报文:
· 源地址为192.168.10.2的报文以4.1.1.2/24作为下一跳IP地址;
· 其它源地址的报文以5.1.1.2/24作为下一跳IP地址。
2. 组网图
图1-4 基于报文源地址的转发策略路由的配置举例组网图
3. 配置步骤
配置前请确保Router B和Host A/Host B,Router C和Host A/Host B之间路由可达。
(1) 配置Router A
# 配置接口GigabitEthernet1/0/2和GigabitEthernet1/0/3的IP地址。
<RouterA> system-view
[RouterA] interface gigabitethernet 1/0/2
[RouterA-GigabitEthernet1/0/2] ip address 4.1.1.1 24
[RouterA-GigabitEthernet1/0/2] quit
[RouterA] interface gigabitethernet 1/0/3
[RouterA-GigabitEthernet1/0/3] ip address 5.1.1.1 24
[RouterA-GigabitEthernet1/0/3] quit
# 定义访问控制列表ACL 2000,用来匹配源地址为192.168.10.2的报文。
[RouterA] acl basic 2000
[RouterA-acl-ipv4-basic-2000] rule 10 permit source 192.168.10.2 0
[RouterA-acl-ipv4-basic-2000] quit
# 定义0号节点,指定所有源地址为192.168.10.2的报文的下一跳为4.1.1.2。
[RouterA] policy-based-route aaa permit node 0
[RouterA-pbr-aaa-0] if-match acl 2000
[RouterA-pbr-aaa-0] apply next-hop 4.1.1.2
[RouterA-pbr-aaa-0] quit
[RouterA] policy-based-route aaa permit node 1
[RouterA-pbr-aaa-1] apply next-hop 5.1.1.2
[RouterA-pbr-aaa-1] quit
# 在以太网接口GigabitEthernet1/0/1上应用转发策略路由,处理此接口接收的报文。
[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] ip address 192.168.10.1 24
[RouterA-GigabitEthernet1/0/1] ip policy-based-route aaa
[RouterA-GigabitEthernet1/0/1] quit
4. 验证配置
从Host A上ping Router B,结果成功。
从Host B上ping Router B,结果失败。
从Host A上ping Router C,结果失败。
从Host B上ping Router C,结果成功。
以上结果可证明:从Router A的以太网接口GigabitEthernet1/0/1接收的源地址为192.168.10.2的报文的下一跳为4.1.1.2,所以Host A能ping通Router B,源地址为192.168.10.3的下一跳5.1.1.2,所以Host B能ping通Router C,由此表明策略路由设置成功。
- 2021-09-13回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明