User requirements are as follows:
Vlan10 and vlan11 cannot communicate with each other, but can access vlan12 servers.
Vlan10 can only access the Internet through RT5, and vlan11 can only access the Internet through RT6
Vlan12 cannot access the Internet
Steps for Configuration:
1. Basic information configuration (SW1, RT5, RT6)
2. Border Network peer (RT5 Static Routing)
3. SW1 policy route, RT6 static route
4. Border device INTERNET peer (default route)
5. Business Access Control (VLAN10 and VLAN11 cannot communicate with each other)
6. network-wide test and troubleshooting
Basic Configuration:
SW1> en
SW1 # vlan data
SW1 (vlan) # vtp tran
SW1 (vlan) # vlan 10
SW1 (vlan) # vlan 11
SW1 (vlan) # vlan 12 // Add a VLAN to the VLAN Database
SW1 (vlan) # exit
SW1 # config t
SW1 (config) # int vlan 10
SW1 (config-if) # ip add 192.168.10.1 255.255.255.0
SW1 (config-if) # no shut
SW1 (config-if) # int vlan 11
SW1 (config-if) # ip add 192.168.11.1 255.255.255.0
SW1 (config-if) # no shut
SW1 (config-if) # int vlan 12
SW1 (config-if) # ip add 192.168.12.1 255.255.255.0
SW1 (config-if) # no shut
SW1 (config-if) # int f1/10
SW1 (config-if) # switchport mode access
SW1 (config-if) # switchport access vlan 10
SW1 (config-if) # int f1/11
SW1 (config-if) # switchport mode access
SW1 (config-if) # switchport access vlan 11
SW1 (config-if) # int f1/12
SW1 (config-if) # switchport mode access
SW1 (config-if) # switchport access vlan 12
SW1 (config-if) # int f1/12
SW1 (config-if) # switchport mode access
SW1 (config-if) # switchport access vlan 12
SW1 (config-if) # int f1/1
SW1 (config-if) # no switchport
SW1 (config-if) # ip add 192.168.1.1 255.255.255.252
SW1 (config-if) # no shut
SW1 (config-if) # int f1/2
SW1 (config-if) # no switchport
SW1 (config-if) # ip add 192.168.1.5 255.255.255.252
SW1 (config-if) # no shut
SW1 (config-if) # exit
SW1 (config) # ip routing
SW1 (config) # ip route 192.168.0.0 255.255.0.0 null 0 // Add a black hole route
SW1 (config) # access-list 101 deny ip 192.168.10.0 0.0.255 192.168.0.0 0.0.255.255 // prevent VLAN10 from accessing the Intranet from being routed by the Policy
SW1 (config) # access-list 101 permit ip 192.168.10.0 0.0.255 any
// Differentiate VLAN11 traffic
SW1 (config) # access-list 102 deny ip 192.168.11.0 0.0.255 192.168.0.0 0.0.255.255 // prevent VLAN11 from accessing the Intranet from being routed by the Policy
SW1 (config) # access-list 102 permit ip 192.168.11.0 0.0.255 any
// Differentiate VLAN11 traffic
SW1 (config) # access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 // VLAN10 and VLAN11 cannot communicate with each other
SW1 (config) # access-list 103 permit ip any // allow VLAN10 to access other
SW1 (config) # int vlan 10
SW1 (config-if) # exit
SW1 (config) # route-map RT5 permit 10 // create a ROUTE-MAP that accesses the INTERNET through RT5
SW1 (config-route-map) # match ip address 101 // match ip address
SW1 (config-route-map) # set ip next-hop 192.168.1.2 // set the next hop for matching traffic
SW1 (config-route-map) # exit
SW1 (config) # route-map RT6 permit 10 // create a ROUTER-MAP that accesses the INTERNET through RT6
SW1 (config-route-map) # match ip address 102 // match ip address
SW1 (config-route-map) # set ip next-hop 192.168.1.6 // set the next hop for matching traffic
SW1 (config-route-map) # exit
SW1 (config) # int vlan 10
SW1 (config-if) # ip policy route-map RT5 // bind ROUTE-MAP in VLAN10
SW1 (config-if) # ip access-group 103 in // enable access control list IN in
SW1 (config-if) # int vlan 11
SW1 (config-if) # ip policy route-map RT6 // bind ROUTE-MAP in VLAN11
RT5 (config) # int f2/0
RT5 (config-if) # ip add 192.168.1.2 255.255.255.252
RT5 (config-if) # no shut
RT5 (config-if) # int f1/0
RT5 (config-if) # ip add 202.202.1.2 255.255.255.252
RT5 (config-if) # no shut
RT5 (config-if) # exit
RT5 (config) # ip route 0.0.0.0 0.0.0.0 202.202.1.1 // route to the public network
RT5 (config) # ip route 192.168.0.0 255.255.0.0 192.168.1.1 // route to the internal network
RT5 (config) # access-list 10 permit 192.168.10.0 0.0.255 // define the traffic for NAT
RT5 (config) # int f1/0
RT5 (config-if) # ip nat inside // defines the NAT Internal interface
RT5 (config-if) # int f2/0
RT5 (config-if) # ip nat outside // defines the NAT external interface
RT5 (config) # ip nat inside source list 10 int f1/0 overload // enable NAT Translation
RT6 (config) # int f2/0
RT6 (config-if) # ip add 192.168.1.6 255.255.255.252
RT6 (config-if) # no shut
RT6 (config-if) # int f1/0
RT6 (config-if) # ip add 202.202.2.2 255.255.255.252
RT6 (config-if) # no shut
RT6 (config-if) # exit
RT6 (config) # ip route 0.0.0.0 0.0.0.0 202.202.2.1
RT6 (config) # ip route 192.168.0.0 255.255.0.0 192.168.1.5
RT6 (config) # access-list 10 permit 192.168.11.0 0.0.255 // define the traffic for NAT
RT6 (config) # int f1/0
RT6 (config-if) # ip nat inside
RT6 (config-if) # int f2/0
RT6 (config-if) # ip nat outsid
RT6 (config) # ip nat inside source list 10 int f1/0 overload
Test process:
VPCS 1> ping 202.202.1.2
202.202.1.2 icmp_seq = 1 time = 130.000 MS
202.202.1.2 icmp_seq = 2 time = 46.000 MS
202.202.1.2 icmp_seq = 3 time = 67.000 MS
202.202.1.2 icmp_seq = 4 time = 63.000 MS
202.202.1.2 icmp_seq = 5 time = 105.000 MS
* Mar 1 00:44:57. 915: IP: tableid = 0, s = 192.168.10.100 (Vlan10), d = 202.202.1.2 (FastEthernet1/1), routed via FIB
* Mar 1 00:44:57. 919: IP: s = 192.168.10.100 (Vlan10), d = 202.202.1.2, len 84, policy match
* Mar 1 00:44:57. 923: IP: route map RT5, item 10, permit
* Mar 1 00:44:57. 923: IP: s = 192.168.10.100 (Vlan10), d = 202.202.1.2 (FastEthernet1/1), len 84, policy routed
* Mar 1 00:44:57. 927: IP: Vlan10 to FastEthernet1/1 192.168.1.2
* Mar 1 00:44:57. 931: IP: s = 192.168.10.100 (Vlan10), d = 202.202.1.2 (FastEthernet1/1), g = 192.168.1.2, len84, forward
* Mar 1 00:44:58. 027: IP: tableid = 0, s = 202.202.1.2 (FastEthernet1/1), d = 192.168.10.100 (Vlan10), routed via FIB
* Mar 1 00:44:58. 031: IP: s = 202.202.1.2 (FastEthernet1/1), d = 192.168.10.100 (Vlan10), g = 192.168.10.100, len 84, forward
VPCS 2> ping 202.202.2.2
202.202.2.2 icmp_seq = 1 time = 61.000 MS
202.202.2.2 icmp_seq = 2 time = 77.000 MS
202.202.2.2 icmp_seq = 3 time = 84.000 MS
202.202.2.2 icmp_seq = 4 time = 103.000 MS
202.202.2.2 icmp_seq = 5 time = 37.000 MS
* Mar 1 00:45:56. 839: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB
* Mar 1 00:45:56. 839: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward
* Mar 1 00:45:57. 819: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB
* Mar 1 00:45:57. 823: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward
* Mar 1 00:45:58. 807: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB
* Mar 1 00:45:58. 811: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84,
* Mar 1 00:45:59. 847: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB
* Mar 1 00:45:59. 851: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward
* Mar 1 00:46:00. 827: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB
* Mar 1 00:46:00. 831: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward
:
Experiment summary:
Access to the INTERNET using 192.168.10.100:
192.168.10.100 delivers the data to the SVI interface 192.168.10.1 of SW1, because a policy route is made on the SVI interface of VLAN10 and the next hop is set to 192. 168.1.2. Data from VLAN10 will match the policy route and send the data to 192.168.1.2. On RT1, perform NAT to convert the data of 192.168.10.0/24 to the IP address 202.202.1.2 of F1/0, record the converted IP address to the NAT translation table, and send the data to the INTERNET, the response data is processed through the NAT entry of F1/0. Find the NAT translation table, find the corresponding intranet IP address, and forward the data from F2/0 by finding the route, finally, the data is delivered to the target host.
This article is from the "Mortal World" blog