Chinaunix

标题: (已解决!)分支机构互联网统一出口网络配置疑问? [打印本页]
作者: xy-coordinate    时间: 2013-01-14 09:14
标题: (已解决!)分支机构互联网统一出口网络配置疑问?
本帖最后由 xy-coordinate 于 2013-01-15 15:20 编辑

H3C UTM200
5个以太口
2条100M 互联网出口

部门:5个
机构:10个

H3C S3600 3层交换机
10个机构由MSTP网络 光纤汇集到 S3600
5个部门接在S3600 以太口

H3C UTM200
#
acl number 2000
rule 15 permit source 192.168.100.0 0.0.0.255
rule 20 permit source 192.168.201.0 0.0.0.255
rule 25 permit source 192.168.202.0 0.0.0.255
rule 30 permit source 192.168.203.0 0.0.0.255
rule 35 permit source 192.168.204.0 0.0.0.255
rule 1000 deny
acl number 2001
rule 5 permit source 192.168.101.0 0.0.0.255
rule 10 permit source 192.168.102.0 0.0.0.255
rule 15 permit source 192.168.103.0 0.0.0.255
rule 20 permit source 192.168.104.0 0.0.0.255
rule 25 permit source 192.168.105.0 0.0.0.255
rule 30 permit source 192.168.106.0 0.0.0.255
rule 35 permit source 192.168.107.0 0.0.0.255
rule 40 permit source 192.168.108.0 0.0.0.255
rule 45 permit source 192.168.109.0 0.0.0.255
rule 50 permit source 192.168.110.0 0.0.0.255
rule 1000 deny
#
#
interface GigabitEthernet0/1
port link-mode route
nat outbound 2000
ip address 158.43.114.226 255.255.255.248
#
interface GigabitEthernet0/2
port link-mode route
nat outbound 2001
ip address 136.132.162.18 255.255.255.248
#
interface GigabitEthernet0/3
port link-mode route
ip address 192.168.101.1 255.255.255.0
ip address 192.168.102.1 255.255.255.0 sub
ip address 192.168.104.1 255.255.255.0 sub
ip address 192.168.105.1 255.255.255.0 sub
ip address 192.168.106.1 255.255.255.0 sub
ip address 192.168.107.1 255.255.255.0 sub
ip address 192.168.108.1 255.255.255.0 sub
ip address 192.168.109.1 255.255.255.0 sub
ip address 192.168.110.1 255.255.255.0 sub
ip policy-based-route 1    //*UTM不能做双出口负载均衡,不过可以做指定出口
#
interface GigabitEthernet0/4
port link-mode route
ip address 192.168.100.1 255.255.255.0
ip address 192.168.201.1 255.255.255.0 sub
ip address 192.168.202.1 255.255.255.0 sub
ip address 192.168.203.1 255.255.255.0 sub
ip address 192.168.204.1 255.255.255.0 sub
#

#
policy-based-route 1 permit node 10
   if-match acl 2001
   apply ip-address next-hop 136.132.162.17
#
ip route-static 0.0.0.0 0.0.0.0 158.43.114.225    //*不能再写1条到136.132.162.17得缺省路由,可以做指定出口
#
部门使用1条100M出口,机构使用1条100M出口

现在,网络通畅,但是分支机构网络没有固定,任一机构都能配置192.168.101.0或者192.168.102.0……,想每个机构固定一个网段,如何配置?
机构可以将HUB更换成TP-LINK路由器。
              

截图1358126184.jpg (19.71 KB, 下载次数: 34)

截图1358126184.jpg
作者: xy-coordinate    时间: 2013-01-15 15:09
本帖最后由 xy-coordinate 于 2013-01-15 15:32 编辑

UTM200 某一以太口配置vlan或者起子接口
#
interface GigabitEthernet0/3.1
vlan-type dot1q vid 101
ip address 192.168.101.1 255.255.255.0
#
interface GigabitEthernet0/3.2
vlan-type dot1q vid 102
ip address 192.168.102.1 255.255.255.0
#

+++++++++++++++++++++++++++++++
#
interface GigabitEthernet0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#

vlan 101
interface vlan101
ip address 192.168.101.1 255.255.255.0

vlan 102
interface vlan102
ip address 192.168.102.1 255.255.255.0
......
+++++++++++++++++++++++++++++++

注意:UTM还必须在WEB界面,设备管理——安全域——添加vlan或者子接口 到 trust域,否则下联交换机接收相应配置
作者: aplah    时间: 2013-01-16 10:19
单臂路由的做法啊,不错

也可以考虑在s3600起三层vlan,就是hub得换了



欢迎光临 Chinaunix (http://bbs.chinaunix.net/) Powered by Discuz! X3.2