实验需求,外部能够访问Server
上的资源,vlan10
网段可以访问外网,vlan20
部分主机可以访问外网,分配到的IP地址为23.0.0.1-100
,可做多个地址池
SW1
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/23
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 10 20 30
#
ospf 1
area 0.0.0.0
area 0.0.0.1
network 192.168.30.1 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.30.2
AR1
自定义内部主机访问外网
nat address-group 1 23.0.0.20 23.0.0.30
#
interface GigabitEthernet0/0/1
ip address 23.0.0.1 255.255.255.0
nat static global 23.0.0.2 inside 192.168.20.20 netmask 255.255.255.255
nat server protocol tcp global 23.0.0.6 8080 inside 192.168.20.21 www
nat static enable
#
interface GigabitEthernet0/0/2
ip address 192.168.30.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 192.168.30.2 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 23.0.0.254
ACL控制vlan10网段全部主机可以访问外网
acl number 3000
rule 100 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet0/0/1
nat outbound 3000 address-group 2
AR2
interface GigabitEthernet0/0/1
ip address 23.1.1.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 23.0.0.254 255.255.255.0
#
ospf 1
area 0.0.0.0
network 23.0.0.254 0.0.0.0
network 23.1.1.1 0.0.0.0
AR3
interface GigabitEthernet0/0/0
ip address 23.3.3.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 23.2.2.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 23.1.1.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 0.0.0.0 255.255.255.255