所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - NAT与IPv6过渡技术 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置分布式NAT示例

配置分布式NAT示例

介绍分布式NAT功能的配置示例,实现家庭用户私网地址和外部公网地址进行多对多的转换,家庭用户通过NAT转换后可以访问Internet,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图2-18所示,家庭用户通过PPPoE、IPoE或WEB认证等方式接入BRAS设备,BRAS设备在完成用户认证、授权和计费功能的同时提供NAT转换业务,将家庭用户的私网地址和外部公网地址进行转换,使家庭用户可以访问Internet。

各接口IP地址如图2-18所示。通过配置要达到以下要求:
  • 属于用户组group1的家庭用户可以访问Internet。
  • 属于用户组group2的家庭用户不可以访问Internet。
图2-18  NAT基本应用组网图

配置思路

采用如下思路配置NAT。

  1. 配置NAT基本功能。
  2. 配置NAT用户信息。
  3. 配置NAT引流策略。
  4. 配置NAT转换策略。
  5. 检查配置结果。

数据准备

  • NAT实例的名称。
  • NAT地址池的编号,起始和结束的IP地址。
  • 用户组名。
  • ACL、UCL编号。
  • NAT引流策略的信息。

操作步骤

  1. 配置1号业务板的会话表资源为6M。

    <HUAWEI> system-view
    [~HUAWEI] sysname BRAS_NAT
    [*HUAWEI] commit
    [~BRAS_NAT] license
    [~BRAS_NAT-license] active nat session-table size 6 slot 1 card 0
    [*BRAS_NAT-license] commit
    [~BRAS_NAT-license] quit
    • 创建NAT实例nat1,ID为1,并将业务板绑定到NAT实例:

      [~BRAS_NAT] service-location 1
      [*BRAS_NAT-service-location-1] location slot 1 card 0
      [*BRAS_NAT-service-location-1] commit
      [~BRAS_NAT-service-location-1] quit
      [~BRAS_NAT] service-instance-group group1
      [*BRAS_NAT-service-instance-group-group1] service-location 1
      [*BRAS_NAT-service-instance-group-group1] commit
      [~BRAS_NAT-service-instance-group-group1] quit
      [~BRAS_NAT] nat instance nat1 id 1
      [*BRAS_NAT-nat-instance-nat1] service-instance-group group1
      [*BRAS_NAT-nat-instance-nat1] commit
      [~BRAS_NAT-nat-instance-nat1] quit

  2. 配置NAT地址池,地址池范围从10.34.160.101到10.34.160.105。

    [~BRAS_NAT] nat instance nat1 id 1
    [~BRAS_NAT-nat-instance-nat1] nat address-group address-group1 group-id 1 10.34.160.101 10.34.160.105
    [*BRAS_NAT-nat-instance-nat1] commit
    [~BRAS_NAT-nat-instance-nat1] quit

  3. 配置NAT用户信息。
    1. 配置设备的BRAS业务功能,使用户能够上线。配置步骤详见《HUAWEI NE40E配置指南-用户接入》。

      [~BRAS_NAT] aaa
      [~BRAS_NAT-aaa] authentication-scheme auth1
      [*BRAS_NAT-aaa-authen-auth1] authentication-mode radius
      [*BRAS_NAT-aaa-authen-auth1] commit
      [~BRAS_NAT-aaa-authen-auth1] quit
      [~BRAS_NAT-aaa] accounting-scheme acct1
      [*BRAS_NAT-aaa-accounting-acct1] accounting-mode radius
      [~BRAS_NAT-aaa-accounting-acct1] commit
      [~BRAS_NAT-aaa-accounting-acct1] quit
      [~BRAS_NAT-aaa] domain isp1
      [*BRAS_NAT-aaa-domain-isp1] authentication-scheme auth1
      [*BRAS_NAT-aaa-domain-isp1] accounting-scheme acct1
      [*BRAS_NAT-aaa-domain-isp1] radius-server group rd1
      [*BRAS_NAT-aaa-domain-isp1] ip-pool pool1
      [*BRAS_NAT-aaa-domain-isp1] commit
      [~BRAS_NAT-aaa-domain-isp1] quit
      [~BRAS_NAT-aaa] domain isp2
      [*BRAS_NAT-aaa-domain-isp2] authentication-scheme auth1
      [*BRAS_NAT-aaa-domain-isp2] accounting-scheme acct1
      [*BRAS_NAT-aaa-domain-isp2] radius-server group rd1
      [*BRAS_NAT-aaa-domain-isp2] ip-pool pool2
      [*BRAS_NAT-aaa-domain-isp2] commit
      [~BRAS_NAT-aaa-domain-isp2] quit
      [~BRAS_NAT-aaa] quit

    2. 配置用户组group1、group2。

      [~BRAS_NAT] user-group group1
      [~BRAS_NAT] user-group group2
      [~BRAS_NAT] commit

    3. 指定用户所属的域。

      [~BRAS_NAT] aaa
      [~BRAS_NAT-aaa] domain isp1
      [*BRAS_NAT-aaa-domain-isp1] user-group group1 bind nat instance nat1
      [*BRAS_NAT-aaa-domain-isp1] commit
      [~BRAS_NAT-aaa-domain-isp1] quit
      [~BRAS_NAT-aaa] domain isp2
      [~BRAS_NAT-aaa-domain-isp2] user-group group2
      [*BRAS_NAT-aaa-domain-isp2] commit
      [~BRAS_NAT-aaa-domain-isp2] quit
      [~BRAS_NAT-aaa] quit

  4. 配置流分类规则、NAT动作和NAT引流策略,并应用NAT引流策略。
    1. 配置基于ACL流分类规则,地址访问控制列表号分别为6001和6002,ACL规则的编号分别为1和2。

      [~BRAS_NAT] acl 6001
      [*BRAS_NAT-acl-ucl-6001] rule 1 permit ip source user-group group1
      [*BRAS_NAT-acl-ucl-6001] commit
      [~BRAS_NAT-acl-ucl-6001] quit
      [~BRAS_NAT] acl 6002
      [*BRAS_NAT-acl-ucl-6002] rule 2 permit ip source user-group group2
      [*BRAS_NAT-acl-ucl-6002] commit
      [~BRAS_NAT-acl-ucl-6002] quit

    2. 配置ACL编号为3001,用来给上线用户分配地址。

      [~BRAS_NAT] acl 3001
      [*BRAS_NAT-acl4-advance-3001] rule 10 permit ip source 10.110.10.0 0.0.0.255
      [*BRAS_NAT-acl4-advance-3001] commit
      [~BRAS_NAT-acl4-advance-3001] quit

    3. 配置流分类。

      [~BRAS_NAT] traffic classifier c1
      [*BRAS_NAT-classifier-c1] if-match acl 6001
      [*BRAS_NAT-classifier-c1] commit
      [~BRAS_NAT-classifier-c1] quit
      [~BRAS_NAT] traffic classifier c2
      [*BRAS_NAT-classifier-c2] if-match acl 6002
      [*BRAS_NAT-classifier-c2] commit
      [~BRAS_NAT-classifier-c2] quit

    4. 定义流行为,属于b1的流量动作为绑定NAT实例nat1;属于b2的流量动作为deny。

      [~BRAS_NAT] traffic behavior b1 
      [*BRAS_NAT-behavior-b1] nat bind instance nat1
      [*BRAS_NAT-behavior-b1] commit
      [~BRAS_NAT-behavior-b1] quit
      [~BRAS_NAT] traffic behavior b2
      [*BRAS_NAT-behavior-b2] deny
      [*BRAS_NAT-behavior-b2] commit
      [~BRAS_NAT-behavior-b2] quit

    5. 定义NAT策略,将ACL规则和动作进行关联。

      [~BRAS_NAT] traffic policy p1
      [*BRAS_NAT-trafficpolicy-p1] classifier c1 behavior b1
      [*BRAS_NAT-trafficpolicy-p1] classifier c2 behavior b2
      [*BRAS_NAT-trafficpolicy-p1] commit
      [~BRAS_NAT-trafficpolicy-p1] quit

    6. 在系统视图下应用NAT引流策略。

      [~BRAS_NAT] traffic-policy p1 inbound
      [*BRAS_NAT] commit

  5. 配置NAT转换策略。

    [~BRAS_NAT] nat instance nat1 id 1
    [~BRAS_NAT-nat-instance-nat1] nat outbound 3001 address-group address-group1
    [*BRAS_NAT-nat-instance-nat1] commit
    [~BRAS_NAT-nat-instance-nat1] quit

  6. 将NAT转换地址池路由配置静态黑洞路由,并将其发布在路由协议下。OSPF进程号为1。(假设公司内部网络采用OSPF作为IGP发布路由。)

    [~BRAS_NAT] ip route-static 10.34.160.0 24 null 0
    [*BRAS_NAT] commit
    [~BRAS_NAT] ospf 1
    [*BRAS_NAT-ospf-1] import-route static
    [*BRAS_NAT-ospf-1] commit
    [~BRAS_NAT-ospf-1] quit

  7. 检查配置结果。

    • 在设备上查看NAT用户的信息:

      <BRAS_NAT> display nat user-information slot 1 card 0 verbose
      This operation will take a few minutes. Press 'Ctrl+C' to break ...             
      Slot: 1 Card: 0                                                               
      Total number:  1.                                                               
        ---------------------------------------------------------------------------   
        User Type                             :  NAT444                               
        CPE IP                                :  10.110.10.100                        
        User ID                               :  2                                    
        VPN Instance                          :  -                                    
        Address Group                         :  group1                                    
        NAT Instance                          :  nat1                                  
        Public IP                             :  10.34.160.101                           
        Start Port                            :  1024                                 
        Port Range                            :  256                                  
        Port Total                            :  256                                  
        Extend Port Alloc Times               :  0                                    
        Extend Port Alloc Number              :  0                                    
        First/Second/Third Extend Port Start  :  0/0/0                                
        Total/TCP/UDP/ICMP Session Limit      :  8192/10240/10240/512                 
        Total/TCP/UDP/ICMP Session Current    :  0/0/0/0                              
        Total/TCP/UDP/ICMP Rev Session Limit  :  8192/10240/10240/512                 
        Total/TCP/UDP/ICMP Rev Session Current:  0/0/0/0                              
        Total/TCP/UDP/ICMP Port Limit         :  0/0/0/0                              
        Total/TCP/UDP/ICMP Port Current       :  0/0/0/0                              
        Nat ALG Enable                        :  NULL                                 
        Token/TB/TP                           :  0/0/0                                
        Port Forwarding Flag                  :  Non Port Forwarding                  
        Port Forwarding Ports                 :  0 0 0 0 0                            
        Aging Time(s)                         :  -                                    
        Left Time(s)                          :  -                                    
        Port Limit Discard Count              :  0                                    
        Session Limit Discard Count           :  0                                    
        Fib Miss Discard Count                :  0                                    
        -->Transmit Packets                   :  0                                    
        -->Transmit Bytes                     :  0                                    
        -->Drop Packets                       :  0                                    
        <--Transmit Packets                   :  0                                    
        <--Transmit Bytes                     :  0                                    
        <--Drop Packets                       :  0                                    
        ---------------------------------------------------------------------------  

配置文件

  • BRAS的配置文件。

    #
    sysname BRAS_NAT
    #
    radius-server group rd1
     radius-server authentication 192.168.7.249 1645 weight 0
     radius-server accounting 192.168.7.249 1646 weight 0
     radius-server shared-key itellin
     radius-server type plus11
     radius-server traffic-unit kbyte
    #
    interface Virtual-Template1
     ppp authentication-mode auto
    #
    interface GigabitEthernet2/0/0.1
     user-vlan 1
     pppoe-server bind Virtual-Template 1
     bas
      access-type layer2-subscriber default-domain authentication isp1
      authentication-method ppp
    #
    interface GigabitEthernet2/0/0.2
     user-vlan 2
     pppoe-server bind Virtual-Template 1
     bas
      access-type layer2-subscriber default-domain authentication isp2
      authentication-method ppp
    #
    ip pool pool1 bas local
     gateway 10.110.10.101 255.255.255.0
     section 1 10.110.10.1 10.110.10.100
     dns-server  192.168.7.252
    #
    ip pool pool2 bas local
     gateway 10.110.12.101 255.255.255.0
     section 2 10.110.12.1 10.110.12.100
     dns-server  192.168.7.252
    #
    license
     active nat session-table size 6 slot 1 card 0
    #
    service-location 1
     location slot 1 card 0
    #
    service-instance-group group1
     service-location 1
    #
    nat instance nat1 id 1
     service-instance-group group1
     nat address-group group1 group-id 1 10.34.160.101 10.34.160.105
     nat outbound 3001 address-group address-group1
    #
    user-group group1
    user-group group2
    #
    acl 3001
     rule 10 permit ip source 10.110.10.0 0.0.0.255
    #
    acl 6001
     rule 1 permit ip source user-group group1
    #
    acl 6002
     rule 2 permit ip source user-group group2
    #
    traffic classifier c1
     if-match acl 6001
    #
    traffic classifier c2
     if-match acl 6002
    #
    traffic behavior b1
     nat bind instance nat1
    #
    traffic behavior b2
     deny
    #
    traffic policy p1
     classifier c1 behavior b1
     classifier c2 behavior b2
    #
    traffic-policy p1 inbound
    #
    aaa
     authentication-scheme auth1
      authentication-mode RADIUS
    #
     accounting-scheme acct1
      accounting-mode RADIUS
    #
     domain isp1
      authentication-scheme auth1
      accounting-scheme acct1
      radius-server group rd1
      ip-pool pool1
      user-group group1 bind nat instance nat1
    #
     domain isp2
      authentication-scheme auth1
      accounting-scheme acct1
      radius-server group rd1
      ip-pool pool2
      user-group group2
    #
    ip route-static 10.34.160.0 24 null 0
    #
    ospf 1
     import-route static
    #
     return
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028549

浏览量:20913

下载量:208

平均得分:
本文档适用于这些产品
相关文档
相关版本
Share
上一页 下一页