1.0.0.2/24 GE1/0
+-----------------------------+
192.168.0.1/22 | | 1.0.0.1/24 (MAC:0011-0011-0011)
LAN----------------AR18-63-1 电信网关--------------------Internet
GE3/0 | |
+-----------------------------+
GE2/0
假设组网图如上,
使用AR18-63-1 CMW3.4 T6112L01及以后版本可以如下配置:
[H3C]disp cu
#
sysname H3C
#
local-server nas-ip 127.0.0.1 key huawei
# 把1.0.0.3配置为NAT地址池地址,必须配置,否则目的地址为1.0.0.3的报文无法返回
nat address-group 2 1.0.0.3 1.0.0.3
# 使能基于用户的负载分担,不支持该特性的版本需要通过策略路由实现负载分担
ip user-based-sharing enable
ip user-based-sharing route 0.0.0.0 0.0.0.0
#
radius scheme system
#
domain system
# 配置NAT使用的ACL
acl number 3000
rule 0 permit ip source 192.168.0.0 0.0.3.255
#
interface Aux0
async mode flow
# 配置GE1/0 IP地址为1.0.0.2,进行Easy IP方式NAT
interface GigabitEthernet1/0
ip address 1.0.0.2 255.255.255.0
nat outbound 3000
# 配置GE2/0 IP地址为10.0.0.1/30(可以配置任意私网地址,目的使接口协议UP,建议子网掩码使用30),
# 配置使用地址池方式进行NAT
interface GigabitEthernet2/0
ip address 10.0.0.1 255.255.255.252
nat outbound 3000 address-group 2
#
interface GigabitEthernet3/0
ip address 192.168.0.1 255.255.252.0
#
interface GigabitEthernet4/0
#
interface NULL0
# 创建Loopback 2,地址为1.0.0.3/32。(不配置不会影响内网用户上网,但外网会无法通过该地址访问路由器)
interface LoopBack2
ip address 1.0.0.3 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet3/0
set priority 85
#
firewall zone untrust
add interface GigabitEthernet1/0
add interface GigabitEthernet2/0
set priority 5
#
firewall zone DMZ
set priority 50
# 配置网关地址的静态ARP,必须配置成静态,否则会导致一条线路不通
arp static 1.0.0.1 0011-0011-0011
# 配置缺省路由,必须指定出接口
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0 1.0.0.1 preference 60
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 2/0 1.0.0.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return
[H3C]
如果使用CMW3.4 T6112L01之前的版本,无法配置基于用户的负载分担,需要通过策略路由进行负载分担。
Leave a comment