一、NAT实验配置
通过基本ACL匹配VLAN 10网段,然后在出口设备NAT转换只要匹配到VLAN10地址则进行转换。
核心交换机
# 配置VLAN和默认路由,配置Trunk和Access接口
interface Vlanif10ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30ip address 10.0.0.2 255.255.255.252interface GigabitEthernet0/0/1port link-type accessport default vlan 30
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 20# 路由
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
出口路由器
# 配送路由和ACL以及NAT
acl number 2000 rule 10 permit source 192.168.10.0 0.0.0.255 # 配置路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
ip route-static 192.168.10.0 255.255.255.0 10.0.0.2
ip route-static 192.168.20.0 255.255.255.0 10.0.0.2# 配置接口地址,配置NAT与ACL匹配
interface GigabitEthernet0/0/0ip address 12.1.1.1 255.255.255.252 nat outbound 2000
#
interface GigabitEthernet0/0/1ip address 10.0.0.1 255.255.255.252
中间路由器:
interface GigabitEthernet0/0/0ip address 12.1.1.2 255.255.255.252
#
interface GigabitEthernet0/0/1ip address 23.1.1.2 255.255.255.252
#
ip route-static 8.8.8.8 255.255.255.255 23.1.1.1
AR3:
interface GigabitEthernet0/0/1ip address 23.1.1.1 255.255.255.252
#
interface LoopBack0ip address 8.8.8.8 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
PC1:正常访问8.8.8.8
PC2:没有进行NAT转换,访问超时
二、ACL流量过滤实验
正常配置access接口,划分VLAN,创建高级ACL匹配流量,然后调用过滤策略。
# 创建高级ACL,先匹配拒绝,然后再允许其它的访问流量
acl number 3000rule 5 deny ip source 192.168.10.1 0 destination 192.168.20.2 0rule 10 permit ip source 192.168.10.1 0# 接口配置
#
interface Vlanif10ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30ip address 10.0.0.2 255.255.255.252# 应用过滤策略
# 可以在全局应用流量过滤
traffic-filter inbound acl 3000# 或者在入接口和出接口应用,在G0/0/2,入方向过滤或者在G0/0/4出方向过滤
interface GigabitEthernet0/0/2port link-type accessport default vlan 10traffic-filter inbound acl 3000#
interface GigabitEthernet0/0/4port link-type accessport default vlan 20traffic-filter outbound acl 3000
结果:
本文由 mdnice 多平台发布