需求是两个公网出口,都需要NAT,同时要内网2个IP段用户走不同出口出去
详细的PBR+NAT的配置如下:
1. 内网的2个端口走2个IP段的流量,由于2个流量需要走不同的出口出去,出口需要配置NAT,如果不做外环回的话,设备无法调用2次ACL
2. 下面为设备的主要配置
#
ip vpn-instance 2
route-distinguisher 1:111
vpn-target 1:111 import-extcommunity
vpn-target 1:111 export-extcommunity
#
interface GigabitEthernet1/2/0/17
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.0
qos apply policy nat inbound
#
interface GigabitEthernet1/2/0/18
port link-mode route
combo enable copper
ip address 10.1.2.1 255.255.255.0
qos apply policy nat inbound
#
interface GigabitEthernet1/2/0/19
port link-mode route
combo enable copper
ip address 11.1.1.1 255.255.255.0
nat outbound 3301 address-group 1
ip policy-based-route 2
#
interface GigabitEthernet1/2/0/20
port link-mode route
combo enable copper
ip address 11.1.2.1 255.255.255.0
nat outbound 3302 address-group 2
ip policy-based-route 2
#
interface GigabitEthernet1/2/0/21
port link-mode route
combo enable copper
ip address 12.1.1.1 255.255.255.0
nat outbound 3302 address-group 2
nat outbound 3301 address-group 1
nat service chassis 1 slot 2
#
interface GigabitEthernet1/2/0/22
port link-mode route
combo enable copper
ip binding vpn-instance 2
ip address 12.1.1.2 255.255.255.0
ip policy-based-route 1
#
qos policy nat
classifier nat behavior nat
#
traffic classifier nat operator or
if-match acl 3301
if-match acl 3302
#
traffic behavior nat
redirect chassis 1 slot 2
#
acl number 3301
rule 0 permit ip source 10.2.1.0 0.0.0.255
#
acl number 3302
rule 0 permit ip source 10.2.2.0 0.0.0.255
#
acl number 3401
rule 0 permit ip source 31.1.1.0 0.0.0.255
#
acl number 3402
rule 0 permit ip source 32.1.1.0 0.0.0.255
#
acl number 3501
rule 0 permit ip destination 31.1.1.0 0.0.0.255
#
acl number 3502
rule 0 permit ip destination 32.1.1.0 0.0.0.255
#
policy-based-route 1 permit node 1
if-match acl 3401
apply next-hop 11.1.1.2
#
policy-based-route 1 permit node 2
if-match acl 3402
apply next-hop 11.1.2.2
#
policy-based-route 2 permit node 1
if-match acl 3501
apply next-hop 10.1.1.2
#
policy-based-route 2 permit node 2
if-match acl 3502
apply next-hop 10.1.2.2
#
nat address-group 1
address 31.1.1.2 31.1.1.10
#
nat address-group 2
address 32.1.1.2 32.1.1.10
#
ip route 0.0.0.0 0.0.0.0 12.1.1.1
需要调用2次ACL就需要使用外环回,让流量再次进过设备。外环回的接口其中有一个接口需要为vpn实例接口,这样相当于把这个接口“剥离”出设备,这样外环回的路由就好写了
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作