# 项目实战 - 内外网互联 ![image-20240903154304067](https://picgo-noriu.oss-cn-beijing.aliyuncs.com/Images/image-20240903154304067.png) - **需求** - SW5通过vlanif15和出口设备R1互联 - SW6通过vlanif16和出口设备R1互联 - 在SW5/SW6与出口设备R1中配置路由,实现SW5/SW6与R1的互通 - 公司出口设备 R1连接外网,公司租用的公网网段:100.1.1.0/29 - 公司内网主机有访问外网的需求,所以在R1上配置默认路由,下一跳为公网网关 - 使用ACL来定义允许那些部门和网段访问外网 - 部署地址池NAT或者Easy-ip,实现内网主机访问外网 - 配置VRRP的上行链路跟踪 - **配置基于`0903_实战项目B - 内网优化.md`** ### 一、IP & VLAN & Routing - **AR1** ``` [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip add 192.168.15.1 24 [AR1-GigabitEthernet0/0/0]int g0/0/1 [AR1-GigabitEthernet0/0/1]ip add 192.168.16.1 24 [AR1-GigabitEthernet0/0/1]int g0/0/2 [AR1-GigabitEthernet0/0/2]ip add 100.1.1.1 29 ``` - **AR2** ``` [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip add 100.1.1.2 29 [AR2-GigabitEthernet0/0/0]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip add 200.1.1.254 24 ``` - **SW5** ``` [SW5]vlan batch 15 16 [SW5]int Vlanif 15 [SW5-Vlanif15]ip add 192.168.15.5 24 [SW5-Vlanif15]quit [SW5]int g0/0/4 [SW5-GigabitEthernet0/0/4]port link-type access [SW5-GigabitEthernet0/0/4]port default vlan 15 [SW5-GigabitEthernet0/0/4]quit [SW5]ip route-static 0.0.0.0 0 192.168.15.1 ``` - **SW6** ``` [SW6]vlan batch 15 16 [SW6]int Vlanif 16 [SW6-Vlanif16]ip add 192.168.16.6 24 [SW6-Vlanif16]quit [SW6]int g0/0/4 [SW6-GigabitEthernet0/0/4]port link-type access [SW6-GigabitEthernet0/0/4]port default vlan 16 [SW6-GigabitEthernet0/0/4]quit [SW6]ip route-static 0.0.0.0 0 192.168.16.1 ``` - **AR1** ``` [AR1]ip route-static 192.168.10.0 24 192.168.15.5 [AR1]ip route-static 192.168.10.0 24 192.168.16.6 preference 100 [AR1]ip route-static 192.168.20.0 24 192.168.15.5 [AR1]ip route-static 192.168.20.0 24 192.168.16.6 preference 100 [AR1]ip route-static 192.168.30.0 24 192.168.16.6 [AR1]ip route-static 192.168.30.0 24 192.168.15.5 preference 100 [AR1]ip route-static 0.0.0.0 0 100.1.1.2 ``` ### 二、NAT - **AR1** ``` [AR1]nat address-group 1 100.1.1.3 100.1.1.5 [AR1]acl 2000 [AR1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255 [AR1-acl-basic-2000]rule 20 permit source 192.168.20.0 0.0.0.255 [AR1-acl-basic-2000]rule 30 permit source 192.168.30.0 0.0.0.255 [AR1-acl-basic-2000]quit [AR1]int g0/0/2 [AR1-GigabitEthernet0/0/2]nat outbound 2000 address-group 1 ``` ### 三、VRRP上行接口监控 - **HX - SW5** ``` [SW5]int Vlanif 10 [SW5-Vlanif10]vrrp vrid 10 track int g0/0/4 reduced 50 [SW5-Vlanif10]int vlan 20 [SW5-Vlanif20]vrrp vrid 20 track int g0/0/4 reduced 50 ``` - **HX - SW6** ``` [SW6]int Vlanif 30 [SW6-Vlanif30]vrrp vrid 30 track int g0/0/4 reduced 50 ``` ### 四、测试 - **PC1 PING Server1** ``` PC1>ping 200.1.1.1 Ping 200.1.1.1: 32 data bytes, Press Ctrl_C to break From 200.1.1.1: bytes=32 seq=1 ttl=252 time=79 ms From 200.1.1.1: bytes=32 seq=2 ttl=252 time=78 ms From 200.1.1.1: bytes=32 seq=3 ttl=252 time=78 ms From 200.1.1.1: bytes=32 seq=4 ttl=252 time=78 ms From 200.1.1.1: bytes=32 seq=5 ttl=252 time=62 ms --- 200.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/75/79 ms ```