每日一練（NAT的典型配置）

NAT的典型配置

一：拓撲圖

二：需求：

1：要求CLIENT1和CLIENT2通過DHCP服務器動態獲取IP地址，

2：CLIENT1和CLIENT2所在的網段的所有IP地址都能夠正常訪問外網

三：地址規劃

設備

IP地址

備註

AR1200-AR1

GE0/0/1：10.1.1.2 24

GE0/0/0：210.96.100.85 24

AR1200-AR1模擬的出口路由器，

AR1200-AR2

GE0/0/0：210.96.100.86 24

AR1200-AR2模擬的是ISP路由器

S5700

VLAN2：172.16.1.1 24

VLAN3：192.168.1.1 24

VLAN4：10.1.1.1 30

S5700模擬當前網絡的核心層交換機

S3700-SW1

S3700-SW1模擬接入層交換機

S3700-SW2

S3700-SW2模擬接入層交換機

四：配置過程和步驟：

S3700-SW1上的配置：

sysname S3700-SW1

undo info-center enable

vlan batch 2

cluster enable

ntdp enable

ndp enable

drop illegal-mac alarm

diffserv domain default

drop-profile default

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password simple admin

local-user admin service-type http

interface Vlanif1

interface MEth0/0/1

interface Ethernet0/0/1

port link-type access

port default vlan 2

interface Ethernet0/0/2

interface Ethernet0/0/3

interface Ethernet0/0/4

interface Ethernet0/0/5

interface Ethernet0/0/6

interface Ethernet0/0/7

interface Ethernet0/0/8

interface Ethernet0/0/9

interface Ethernet0/0/10

interface Ethernet0/0/11

interface Ethernet0/0/12

interface Ethernet0/0/13

interface Ethernet0/0/14

interface Ethernet0/0/15

interface Ethernet0/0/16

interface Ethernet0/0/17

interface Ethernet0/0/18

interface Ethernet0/0/19

interface Ethernet0/0/20

interface Ethernet0/0/21

interface Ethernet0/0/22

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/2

interface NULL0

user-interface con 0

user-interface vty 0 4

return

2：S3700-SW2的配置：

sysname S3700-SW2

undo info-center enable

vlan batch 3

cluster enable

ntdp enable

ndp enable

drop illegal-mac alarm

diffserv domain default

drop-profile default

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password simple admin

local-user admin service-type http

interface Vlanif1

interface MEth0/0/1

interface Ethernet0/0/1

port link-type access

port default vlan 3

interface Ethernet0/0/2

interface Ethernet0/0/3

interface Ethernet0/0/4

interface Ethernet0/0/5

interface Ethernet0/0/6

interface Ethernet0/0/7

interface Ethernet0/0/8

interface Ethernet0/0/9

interface Ethernet0/0/10

interface Ethernet0/0/11

interface Ethernet0/0/12

interface Ethernet0/0/13

interface Ethernet0/0/14

interface Ethernet0/0/15

interface Ethernet0/0/16

interface Ethernet0/0/17

interface Ethernet0/0/18

interface Ethernet0/0/19

interface Ethernet0/0/20

interface Ethernet0/0/21

interface Ethernet0/0/22

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/2

interface NULL0

user-interface con 0

user-interface vty 0 4

return

S5700上的配置：

sysname S5700

undo info-center enable

vlan batch 2 to 4

cluster enable

ntdp enable

ndp enable

drop illegal-mac alarm

dhcp enable

diffserv domain default

drop-profile default

ip pool p1

gateway-list 172.16.1.1

network 172.16.1.0 mask 255.255.255.0

ip pool p2

gateway-list 192.168.1.1

network 192.168.1.0 mask 255.255.255.0

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password simple admin

local-user admin service-type http

interface Vlanif1

interface Vlanif2

ip address 172.16.1.1 255.255.255.0

dhcp select global

interface Vlanif3

ip address 192.168.1.1 255.255.255.0

dhcp select global

interface Vlanif4

ip address 10.1.1.1 255.255.255.252

interface MEth0/0/1

interface GigabitEthernet0/0/1

port link-type access

port default vlan 4

interface GigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7

interface GigabitEthernet0/0/8

interface GigabitEthernet0/0/9

interface GigabitEthernet0/0/10

interface GigabitEthernet0/0/11

interface GigabitEthernet0/0/12

interface GigabitEthernet0/0/13

interface GigabitEthernet0/0/14

interface GigabitEthernet0/0/15

interface GigabitEthernet0/0/16

interface GigabitEthernet0/0/17

interface GigabitEthernet0/0/18

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

user-interface con 0

user-interface vty 0 4

return

AR1200-AR1路由器上的配置：

sysname AR1

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone Indian Standard Time minus 05:13:20

clock daylight-saving-time Day Light Saving Time repeating 12:32 9-1 12:32 11-23 00:00 2005 2005

drop illegal-mac alarm

undo info-center enable

stp disable

set cpu-usage threshold 80 restore 75

acl number 2001

rule 0 permit source 192.168.1.0 0.0.0.255

rule 1 permit source 172.16.1.0 0.0.0.255

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

firewall zone Local

priority 15

interface Ethernet0/0/0

duplex half

interface Ethernet0/0/1

duplex half

interface Ethernet0/0/2

duplex half

interface Ethernet0/0/3

duplex half

interface Ethernet0/0/4

duplex half

interface Ethernet0/0/5

duplex half

interface Ethernet0/0/6

duplex half

interface Ethernet0/0/7

duplex half

interface GigabitEthernet0/0/0

ip address 210.96.100.85 255.255.255.0

arp-proxy enable

nat outbound 2001

interface GigabitEthernet0/0/1

ip address 10.1.1.2 255.255.255.252

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 210.96.100.86

ip route-static 172.16.1.0 255.255.255.0 10.1.1.1

ip route-static 192.168.1.0 255.255.255.0 10.1.1.1

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

return

AR1200-AR2上的配置

sysname AR3

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone Indian Standard Time minus 05:13:20

clock daylight-saving-time Day Light Saving Time repeating 12:32 9-1 12:32 11-23 00:00 2005 2005

drop illegal-mac alarm

undo info-center enable

stp disable

set cpu-usage threshold 80 restore 75

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

firewall zone Local

priority 15

interface Ethernet0/0/0

duplex half

interface Ethernet0/0/1

duplex half

interface Ethernet0/0/2

duplex half

interface Ethernet0/0/3

duplex half

interface Ethernet0/0/4

duplex half

interface Ethernet0/0/5

duplex half

interface Ethernet0/0/6

duplex half

interface Ethernet0/0/7

duplex half

interface GigabitEthernet0/0/0

ip address 210.96.100.86 255.255.255.0

interface GigabitEthernet0/0/1

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 210.96.100.85

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

return

五：總結：

華爲的AR系列路由器在配置NAT時，是不支持在NAT地址池中放一個或幾個公網IP地址，只支持在NAT
地址池中放入一個地址段，所以我在配置過程中是使用的EASY ip的方式配置的，沒有使用

NAT地址池方式配置。

每日一練（NAT的典型配置）

通過HPA+CronHPA組合應對業務複雜彈性伸縮場景

FAT AP共享式WEP加密功能的實現

每日一練（NAT的典型配置）

一個H3CNE測試的配置

H3CNE的綜合測試

失業七個月面試六十家公司的深圳體驗

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結