H3C S9500 Series Operation Manual page 145

Operation Manual – NAT
H3C S9500 Series Routing Switches
[PE] vlan 200
[PE-vlan200] port ethernet4/1/2
[PE-vlan200] quit
[PE] interface Vlan-interface 200
[PE-Vlan-interface200] ip address 200.1.1.100 255.255.255.0
# Configure ACL 3000.
[PE] acl number 3000
[PE-acl-adv-3000] rule permit ip vpn-instance VPN-a source 10.1.1.1 0.0.0.255
[PE-acl-adv-3000] quit
# Configure the maximum numbers of users and connections of VPN-a.
[PE] nat vpn limit vpn-instance VPN-a 1000 500000
# Configure a NAT address pool with the identifier of 0.
[PE] nat address-group 0 200.1.1.101 200.1.1.111
# Bind ACL 3000 to address group 0 on VLAN-interface 200.
[PE] interface Vlan-interface 200
[PE-Vlan-interface200] nat outbound 3000 address-group 0 slot 3
[PE-Vlan-interface200] quit
# Customize a flow template (the default flow template does not check the packet's
destination MAC address), and apply the flow template to Ethernet 4/1/1. The interface
card is located in slot 4.
[PE] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0
vlanid
[PE] interface Ethernet4/1/1
[PE-Ethernet4/1/1] flow-template user-defined
# Configure ACLs for packet redirection. You are recommended to configure two ACLs:
ACL 4000 and ACL 3001. ACL 4000 allows only the packets with VLAN ID 100 and
DMAC being the MAC address of VLAN-interface 100 (000f-e23f-3294) to pass (only
Layer 3 packets need to be redirected to the NAT LPU for address translation, while
protocol packets, such as LDP packets, and Layer 2 packets do not need to be
redirected). ACL 3001 allows the packets with source IP address 10.1.1.0/24 to pass.
[PE] acl number 4000
[PE-acl-link-4000] rule permit ingress 100 egress 000f-e23f-3294 0-0-0
[PE-acl-link-4000] quit
[PE] acl number 3001
[PE-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255
[PE-acl-adv-3001] quit
1-24
Chapter 1 NAT Configuration