华三CPE SNAT配置

1. 公网默认路由（day0配置） ```shell ip route-static 0.0.0.0 0 172.171.0.1

route-policy public-filter permit node 1 if-match ip address prefix-list public-filter

ip prefix-list public-filter index 10 permit 0.0.0.0 0

2. **私网路由表中引入公网默认路由（控制器配置）**
```shell
ip vpn-instance connection-nzy
 route-distinguisher 200:93
 address-family ipv4
  route-replicate from public protocol static route-policy public-filter

1. 通过源地址匹配哪些地址出公网（控制器配置）

   acl basic name nat
   rule 0 permit vpn-instance connection-nzy source 16.1.1.0 0.0.0.255

2. 公网地址池（控制器配置，由于直接使用wan口地址且wan口地址可变，该步骤废弃）

   nat address-group 1 name nat
   address 172.171.15.21 172.171.15.21

3. 绑定出向NAT策略，注意无需要指定vpn实例（控制器配置）

   interface GigabitEthernet2/0
   description wan
   ip address 172.171.15.21 255.255.240.0
   nat outbound name nat
   ipsec apply policy connection-nzy_cpe-14_vpe14

测试报文：
创建虚网

{
  "branchList": [
    {
      "active": true,
      "cpe": {
        "accessPoints": [{
         "accessRoutes": [
              {
                "nexthop": "16.1.1.2",
                "prefix": "52.1.1.0/24"
              }
            ],
          "bandwidth": "100",
          "interfaceIp": "16.1.1.1/24",
          "interfaceName": "GigabitEthernet1/0",
          "vlan": "1006"
        }],
          "snat": {
              "interfaceName": "GigabitEthernet2/0",
              "prefix": ["16.1.1.0/24"]
          },
        "deviceName": "cpe14"
      },
      "description": "branch6",
      "links": [{
        "cpeIfIp": "172.171.15.21/24",
        "cpeIfName": "GigabitEthernet2/0",
        "cpeName": "cpe14",
        "vpeIfIp": "172.171.15.24/24",
        "vpeIfName": "GigabitEthernet2/0",
        "vpeName": "vpe14"
      }],
      "encapType": "vxlan",
      "name": "branch14",
      "vpes": [{
        "deviceName": "vpe14",
        "peAccessPoints": [{
          "interfaceIp": "19.1.1.2/24",
          "remoteIp": "19.1.1.1/24",
          "interfaceName": "GigabitEthernet3/0",
          "vlan": "1099"
        }]
      }]
    }
  ],
  "description": "connection-nzy",
  "name": "connection-nzy"
}

更新虚网

{
  "branchList": [{
      "active": true,
      "cpe": {
        "accessPoints": [{
          "bandwidth": "100",
          "interfaceIp": "31.1.1.1/24",
          "interfaceName": "GigabitEthernet0/5",
          "vlan": "1000",
          "dhcpPool": {
            "dhcpEnable": true,
            "gateway": "31.1.1.1",
            "subnet": "31.1.1.0/24",
            "dhcpStart": "31.1.1.3",
            "dhcpEnd": "31.1.1.254",
            "leaseTime": "12"
          }
        }],
        "snat": {
            "interfaceName": "GigabitEthernet0/0",
                "prefix": ["31.1.1.0/24"]
            },
        "deviceName": "cpe4"
      },
      "description": "branch1",
      "links": [{
        "cpeIfIp": "172.171.15.253/24",
        "cpeIfName": "GigabitEthernet0/0",
        "cpeName": "cpe4",
        "vpeIfIp": "172.171.15.24/24",
        "vpeIfName": "GigabitEthernet2/0",
        "vpeName": "vpe14"
      }],
      "name": "branch1",
      "operation": "add",
      "vpes": [{
        "deviceName": "vpe14",
        "peAccessPoints": [{
          "interfaceIp": "19.1.1.2/24",
          "remoteIp": "19.1.1.1/24",
          "interfaceName": "GigabitEthernet3/0",
          "vlan": "1099"
        }]
      }]
    }
  ],
  "description": "connection-nzy",
  "name": "connection-nzy"
}