H3C S9500 Series Command Manual page 21

Command Manual – NAT
H3C S9500 Series Routing Switches
# Perform the following configuration to use the IP address of VLAN-interface 2 directly.
[H3C-Vlan-interface2] nat outbound 3000 slot 3
# Configure ACLs for packet redirection. You are recommended to configure two ACLs,
namely, ACL 4000 and ACL 3001. ACL 4000 allows packets with VLAN ID 192 and
DMAC being the MAC address of VLAN-interface 192 (000f-e23f-3294) to pass (only
Layer 3 packets need to be redirected to the NAT LPU for translation, while protocol
and Layer 2 packets do not need to be redirected). ACL 3001 allows the packets with
source IP address 10.110.10.0/24 to pass. The ID of the VLAN on the private network
side is 192.
[H3C] acl number 4000
[H3C-acl-link-4000] rule permit ingress 192 egress 000f-e23f-3294 0-0-0
[H3C-acl-link-4000] quit
[H3C] acl number 3001
[H3C-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255
[H3C-acl-adv-3001] quit
# Customize a flow template, and then apply it to Ethernet 4/1/1. The interface card is
located in slot 4. For details about flow template, refer to Defining and Applying Flow
Template in ACL Configuration of the QoS ACL Volume.
[H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0
vlanid
[H3C] interface Ethernet4/1/1
[H3C-Ethernet4/1/1] flow-template user-defined
# Reference the ACLs to redirect the packets that needs to be translated to the NAT
LPU. Ethernet 4/1/1 is the inbound interface on the private network side and the VLAN
ID is 192.
[H3C] interface Ethernet4/1/1
[H3C-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 link-group 4000
rule 0 slot 3 designated-vlan 192
Caution:
You need to bind VPN 1 to VLAN 192 on the private network side before referencing
the ACLs for packet redirection.
# The configuration of VPN 2 is similar to that of VPN 1.
Chapter 1 NAT Configuration Commands
1-20