运用策略路由实现双出口数据的分流

一、背景

此实例来自于某学校的现实网络应用。该单位采用双线接入，一条电信光纤100M，一条移动光纤200M。办公网络要走电信光纤，教学、实验网络要走移动光纤。要实现该目标，在现有设备的情况下，运用策略路由是比较好的选择方案。该单位使用的网络设备主要是华为的设备。现通过华为eNSP模拟器重新将整个网络的配置模拟实现，以供参考。

网络拓扑简化后如下：

二、拓扑图说明

（1）左侧区域代表内网，由四个子网组成，分别是vlan 10、vlan 20、vlan 30、vlan 40，使用的接入设备为S3700，核心设备使用的是S5700，出口设备使用AR2220。

（2）右侧区域使用4个AR2220模拟外网，路由器AR2至AR5启用OSPF协议。在AR5接入一台计算机模拟外网的资源。

（3）假设vlan 10和vlan 20是办公子网，vlan 30和vlan 40是教学和实验子网。各个vlan的网段分配如下：vlan 10 网段 192.168.10.0/24 网关192.168.10.1；vlan 20 网段192.168.20.0/24 网关192.168.20.1；vlan 30网段192.168.30.0/24 网关192.168.30.1；vlan 40网段192.168.40.0/24 网关 192.168.40.1。

（4）核心交换机GE0/0/2接vlan 10，GE0/0/3接vlan 20，GE0/0/4接vlan 30，GE0/0/5接vlan40。核心交换机GE0/0/1与出口路由AR1 GE0/0/0对接，独划在vlan 200，vlan 200使用网段172.16.0.0/30，vlan 200的IP 172.16.0.1/30，AR1 GE0/0/0 IP 172.16.0.2/30。

（5）出口路由AR1的端口GE0/0/1假设接电信光纤，分配的IP 112.45.65.1/30，电信的网关112.45.65.2/30；端口GE0/0/2假设接移动光纤，分配的IP 217.15.75.1/30，移动的网关217.15.75.2/30。其中vlan 10与vlan 20的流量走电信光纤，vlan 30与vlan 40流量走移动光纤。

（6）模拟外网的路由器AR2至AR5各个连接端口IP：

AR2 GE0/0/0 112.45.65.1/30     GE0/0/1 23.0.0.1/30

AR3 GE0/0/0 23.0.0.2/30   GE0/0/1 35.0.0.1/30

AR4 GE0/0/0 217.15.75.2/30  GE0/0/1 45.0.0.1/30

AR5 GE0/0/0 35.0.0.2/30  GE0/0/1 45.0.0.2/30  GE0/0/2 218.0.0.1/30

三、配置步骤

（1）各个PC的IP配置

PC1：ip192.168.10.2 掩码255.255.255.0 网关192.168.10.1

PC2：ip192.168.20.2 掩码255.255.255.0 网关192.168.20.1

PC3：ip192.168.30.2 掩码255.255.255.0 网关192.168.30.1

PC4：ip192.168.40.2 掩码255.255.255.0 网关192.168.40.1

PC5：ip218.0.0.2 掩码255.255.255.252 网关218.0.0.1

（2）核心交接机LSW1配置

<Huawei>system-view

[Huawei]vlan batch 10 20 30 40 200

[Huawei]interface Vlanif 10

[Huawei-Vlanif10]ip address 192.168.10.1 24

[Huawei-Vlanif10]quit

[Huawei]interface Vlanif 20

[Huawei-Vlanif20]ip address 192.168.20.1 24

[Huawei-Vlanif20]quit

[Huawei]interface Vlanif 30

[Huawei-Vlanif30]ip address 192.168.30.1 24

[Huawei-Vlanif30]quit

[Huawei]interface Vlanif 40

[Huawei-Vlanif40]ip address 192.168.40.1 24

[Huawei-Vlanif40]quit

[Huawei]interface Vlanif 200

[Huawei-Vlanif200]ip address 172.16.0.1 30

[Huawei-Vlanif200]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]port link-typeaccess

[Huawei-GigabitEthernet0/0/1]port defaultvlan 200

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]port link-typeaccess

[Huawei-GigabitEthernet0/0/2]port defaultvlan 10

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]interface GigabitEthernet 0/0/3

[Huawei-GigabitEthernet0/0/3]port link-typeaccess

[Huawei-GigabitEthernet0/0/3]port defaultvlan 20

[Huawei-GigabitEthernet0/0/3]quit

[Huawei]interface GigabitEthernet 0/0/4

[Huawei-GigabitEthernet0/0/4]port link-typeaccess

[Huawei-GigabitEthernet0/0/4]port defaultvlan 30

[Huawei-GigabitEthernet0/0/4]quit

[Huawei]interface GigabitEthernet 0/0/5

[Huawei-GigabitEthernet0/0/5]port link-typeaccess

[Huawei-GigabitEthernet0/0/5]port defaultvlan 40

[Huawei-GigabitEthernet0/0/5]quit

[Huawei]ip route-static 0.0.0.0 0.0.0.0 172.16.0.2

（3）模拟外网的路由器AR2-AR5的配置

AR2：

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address112.45.65.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address23.0.0.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network112.45.65.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network 23.0.0.0 0.0.0.3

AR3：

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address23.0.0.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address35.0.0.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network23.0.0.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network35.0.0.0 0.0.0.3

AR4：

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address217.15.75.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address45.0.0.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network217.15.75.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network 45.0.0.0 0.0.0.3

AR5：

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address35.0.0.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address45.0.0.2 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]ip address218.0.0.1 30

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network35.0.0.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network45.0.0.0 0.0.0.3

[Huawei-ospf-1-area-0.0.0.0]network218.0.0.0 0.0.0.3

（4）出口路由AR1的配置

<Huawei>system-view

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]ip address172.16.0.2 30

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]ip address112.45.65.1 30

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]ip address217.15.75.1 30

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]ip route-static192.168.0.0 255.255.0.0 172.16.0.1

[Huawei]acl 2112

[Huawei-acl-basic-2112]rule permit source192.168.10.0 0.0.0.255

[Huawei-acl-basic-2112]rule permit source192.168.20.0 0.0.0.255

[Huawei-acl-basic-2112]quit

[Huawei]acl 2217

[Huawei-acl-basic-2217]rule permit source192.168.30.0 0.0.0.255

[Huawei-acl-basic-2217]rule permit source192.168.40.0 0.0.0.255

[Huawei-acl-basic-2217]quit

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]nat outbound2112

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface GigabitEthernet 0/0/2

[Huawei-GigabitEthernet0/0/2]nat outbound2217

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]traffic classifier c112

[Huawei-classifier-c112]if-match acl 2112

[Huawei-classifier-c112]quit

[Huawei]traffic classifier c217

[Huawei-classifier-c217]if-match acl 2217

[Huawei-classifier-c217]quit

[Huawei]traffic behavior b112

[Huawei-behavior-b112]redirect ip-nexthop112.45.65.2

[Huawei-behavior-b112]quit

[Huawei]traffic behavior b217

[Huawei-behavior-b217]redirect ip-nexthop217.15.75.2

[Huawei-behavior-b217]quit

[Huawei]traffic policy tointernet

[Huawei-trafficpolicy-tointernet]classifierc112 behavior b112

[Huawei-trafficpolicy-tointernet]classifierc217 behavior b217

[Huawei-trafficpolicy-tointernet]quit

[Huawei]interface GigabitEthernet 0/0/0

[Huawei-GigabitEthernet0/0/0]traffic-policytointernet inbound

四、验证与查看nat session

PC1:

PC>ping 218.0.0.2

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

Request timeout!

From 218.0.0.2: bytes=32 seq=2 ttl=123time=62 ms

From 218.0.0.2: bytes=32 seq=3 ttl=123time=94 ms

From 218.0.0.2: bytes=32 seq=4 ttl=123time=78 ms

From 218.0.0.2: bytes=32 seq=5 ttl=123time=78 ms

--- 218.0.0.2 ping statistics ---

5packet(s) transmitted

4packet(s) received

20.00% packet loss

round-tripmin/avg/max = 0/78/94 ms

PC>tracert 218.0.0.2

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

1 192.168.10.1   47 ms  31 ms 47 ms

2   *  *  *

3 112.45.65.2   47 ms  62 ms 62 ms

4 23.0.0.2   94 ms  78 ms 62 ms

5 35.0.0.2   78 ms  78 ms 94 ms

6 218.0.0.2   94 ms  46 ms 94 ms

PC2:

PC>ping 218.0.0.2

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

Request timeout!

From 218.0.0.2: bytes=32 seq=2 ttl=123time=63 ms

From 218.0.0.2: bytes=32 seq=3 ttl=123time=78 ms

From 218.0.0.2: bytes=32 seq=4 ttl=123 time=78ms

From 218.0.0.2: bytes=32 seq=5 ttl=123time=94 ms

--- 218.0.0.2 ping statistics ---

5packet(s) transmitted

4packet(s) received

20.00% packet loss

round-trip min/avg/max = 0/78/94 ms

PC>tracert 218.0.0.2

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

1 192.168.20.1   46 ms  32 ms 46 ms

2   *  *  *

3 112.45.65.2   63 ms  62 ms 63 ms

4 23.0.0.2   78 ms  93 ms 94 ms

5 35.0.0.2   93 ms  78 ms 78 ms

6 218.0.0.2   94 ms  94 ms 109 ms

PC3:

PC>ping 218.0.0.2

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

From 218.0.0.2: bytes=32 seq=1 ttl=124time=63 ms

From 218.0.0.2: bytes=32 seq=2 ttl=124time=47 ms

From 218.0.0.2: bytes=32 seq=3 ttl=124time=63 ms

From 218.0.0.2: bytes=32 seq=4 ttl=124time=62 ms

From 218.0.0.2: bytes=32 seq=5 ttl=124time=47 ms

--- 218.0.0.2 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-trip min/avg/max = 47/56/63 ms

PC>tracert 218.0.0.2

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

1 192.168.30.1   31 ms  47 ms 47 ms

2   *  *  *

3 217.15.75.2   63 ms  62 ms 62 ms

4  45.0.0.2   94 ms 62 ms  78 ms

5 218.0.0.2   78 ms  63 ms 47 ms

PC4:

PC>ping 218.0.0.2

Ping 218.0.0.2: 32 data bytes, Press Ctrl_Cto break

From 218.0.0.2: bytes=32 seq=1 ttl=124time=78 ms

From 218.0.0.2: bytes=32 seq=2 ttl=124time=78 ms

From 218.0.0.2: bytes=32 seq=3 ttl=124time=78 ms

From 218.0.0.2: bytes=32 seq=4 ttl=124time=62 ms

From 218.0.0.2: bytes=32 seq=5 ttl=124 time=47ms

--- 218.0.0.2 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-trip min/avg/max = 47/68/78 ms

PC>tracert 218.0.0.2

traceroute to 218.0.0.2, 8 hops max

(ICMP), press Ctrl+C to stop

1 192.168.40.1   15 ms  47 ms 47 ms

2   *  *  *

3 217.15.75.2   78 ms  63 ms 62 ms

4  45.0.0.2   94 ms 62 ms  62 ms

5 218.0.0.2   94 ms  94 ms 46 ms

出口路由的natsession:

[Huawei]dis nat session all

NATSession Table Information:

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.10.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48257

NAT-Info

New SrcAddr     : 112.45.65.1

New DestAddr    : ----

New IcmpId      : 10295

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.20.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48259

NAT-Info

New SrcAddr     : 112.45.65.1

New DestAddr    : ----

New IcmpId      : 10297

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.30.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48263

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10295

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.40.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8   48262

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10294

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.40.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48265

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10297

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.40.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48263

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10296

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.30.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8   48262

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10293

Protocol         : ICMP(1)

SrcAddr  Vpn     : 192.168.30.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48259

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10290

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.30.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8  48261

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10291

Protocol          : ICMP(1)

SrcAddr   Vpn     : 192.168.40.2

DestAddr  Vpn     : 218.0.0.2

Type Code IcmpId  : 0   8   48261

NAT-Info

New SrcAddr     : 217.15.75.1

New DestAddr    : ----

New IcmpId      : 10292