- 积分
- 520
- 鸿鹄币
- 个
- 好评度
- 点
- 精华
- 最后登录
- 1970-1-1
- 阅读权限
- 40
- 听众
- 收听
中级工程师
 
|
网络拓扑如上图
R1 E0/3 <----> R2 E0/3
R1 E0/1 <----> 3L-1 F0/0
R1 E0/2 <----> 3L-2 F0/0
3L-1 F0/1 <----> 3L-2 F0/1
3L-1 F0/2 <----> 3L-2 F0/2
3L-1 F0/3 <----> SW1 F0/0
3L-1 F0/4 <----> SW2 F0/0
3L-1 F0/5 <----> SW3 F0/0
3L-2 F0/3 <----> SW1 F0/1
3L-2 F0/4 <----> SW2 F0/1
3L-2 F0/5 <----> SW3 F0/1
PC1 <----> SW1 F0/15
PC2 <----> SW2 F0/9
PC3 <----> SW3 F0/15
网络地址规划
R1 e0/1: 172.16.1.1 24 e0/2: 172.16.2.1 24 e0/3 172.16.3.1 24 l0:192.168.100.1 24
R2 e0/3: 172.16.3.1 24
3L-1 f0/0: 172.16.1.2 24 f0/5: 192.168.10.1 24 l0:192.168.100.2 24
vlan 1 : 10.10.1.1 24 vlan 2 10.10.2.2 24
3L-2 f0/0::172.16.2.2 24 f0/5:192.168.10.2 24 l0:192.168.100.3
vlan 1: 10.10.1.2 24 valn 2 10.10.2.1 24
网络拓扑注解:
R1运行两种路由协议ospf和rip,需要配置路由重分发,配置vpn,对端路由为R2,配置PAT
R2运行ospf路由协议,配置vpn,对端路由为R1
3L-1运行rip路由协议,f0/1 - 4 trunk 运行vtp(server),pvst(vlan1根)vlan1 走f0/1 - f0/1
3L-2运行rip路由协议,f0/1 - 4 trunk 运行vtp(client),pvst(vlan2根)vlan2走f0/2 - f0/2
SW1 f0/0 - 1 trunk 运行vtp(client),f0/10 - 15 属于vlan1
SW1 f0/0 - 1 trunk 运行vtp(client),f0/10 - 15 属于vlan2
3-L1和3L-2的f0/5 配置HSRP, 虚拟ip为 192.168.1.254
PC1属于vlan2 ip:10.10.2.2 24
PC2属于vlan1 ip:10.10.1.2 24
pc3不属于任何valn ,网关地址为HSRP的虚拟ip地址:192.168.1.254
R1 show run
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$umYv$gzWXgvkDBL/BYOXFtqiuC/
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key wocao address 172.16.3.2
!
!
crypto ipsec transform-set wocao ah-md5-hmac esp-des
!
crypto map wocaomap 1 ipsec-isakmp
set peer 172.16.3.2
set transform-set wocao
match address 101
!
!
!
!
interface Loopback0
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
interface Ethernet0/2
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
interface Ethernet0/3
ip address 172.16.3.1 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map wocaomap
!
router ospf 99
log-adjacency-changes
redistribute rip metric 200 subnets
network 172.16.3.0 0.0.0.255 area 0
!
router rip
version 2
redistribute ospf 99 metric 10
passive-interface Ethernet0/3
network 172.16.0.0
network 192.168.100.0
default-metric 10
no auto-summary
!
ip http server
no ip http secure-server
ip route 172.16.4.0 255.255.255.0 172.16.3.2
!
!
ip nat pool aa 172.16.3.1 172.16.3.1 netmask 255.255.255.0
ip nat inside source list 1 pool aa overload
!
access-list 1 permit any
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password 123
login
line aux 0
line vty 0 4
password 123
login
!
!
end
3L1 show run
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3L-1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$//zP$lPgMdVV.vfFHlAb7q79uI0
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree vlan 1 priority 8192
!
!
!
!
!
!
interface Loopback0
ip address 192.168.100.2 255.255.255.0
!
interface FastEthernet0/0
no switchport
ip address 172.16.1.2 255.255.255.0
duplex full
speed 10
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport mode trunk
spanning-tree vlan 2 cost 18
!
interface FastEthernet0/3
switchport mode trunk
!
interface FastEthernet0/4
switchport mode trunk
!
interface FastEthernet0/5
no switchport
ip address 192.168.10.1 255.255.255.0
no ip redirects
standby 10 ip 192.168.10.254
standby 10 priority 200
standby 10 preempt
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
ip address 10.10.2.2 255.255.255.0
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.10.0
network 192.168.100.0
no auto-summary
!
ip default-gateway 172.16.1.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password 123
login
line aux 0
line vty 0 4
password 1234
login
!
!
end
3L-2 show run
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3L-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9tKe$1esJ.DvKlRLyVeEAYFvlz0
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree vlan 2 priority 4096
!
!
!
!
!
!
interface Loopback0
ip address 192.168.100.3 255.255.255.0
!
interface FastEthernet0/0
no switchport
ip address 172.16.2.2 255.255.255.0
duplex full
speed 10
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport mode trunk
!
interface FastEthernet0/3
switchport mode trunk
!
interface FastEthernet0/4
switchport mode trunk
!
interface FastEthernet0/5
no switchport
ip address 192.168.10.2 255.255.255.0
no ip redirects
standby 10 ip 192.168.10.254
standby 10 priority 150
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
ip address 10.10.1.2 255.255.255.0
!
interface Vlan2
ip address 10.10.2.1 255.255.255.0
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.10.0
network 192.168.100.0
no auto-summary
!
ip default-gateway 172.16.2.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password 123
login
line aux 0
line vty 0 4
password 123
login
!
!
end
部分配置命令:
路由重分发:
把rip重发到ospf网络中
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#default-m
R1(config-router)#default-metric 10
R1(config-router)#network 172.16.1.0
R1(config-router)#network 172.16.2.0
R1(config-router)#network 192.168.100.0
R1(config-router)#passive-interface e0/3 (ospf区域中的端口)
R1(config-router)#no auto-summary
R1(config-router)#exit
R1(config)#router ospf 99
R1(config-router)#network 172.16.3.0 0.0.0.255 area 0
R1(config-router)#redistribute rip subnets
R1(config-router)#exit
R1(config)#exit
把ospf重发到rip网络中
r1(config)#router rip
r1(config-router)#redistribute ospf 99 metric 10
r1(config-router)#exit
r1(config)#router ospf 99
r1(config-router)#redistribute rip metric 200 subnets
r1(config-router)#exit
PAT的配置
R1(config)#access-list 1 permit any
R1(config)#ip nat pool aa 172.16.3.1 172.16.3.1 netmask 255.255.255.0
R1(config)#ip nat inside source list 1 pool aa overload
在外部端口和内部端口上启用NAT
R1(config)#int e0/3
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#int e0/1
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int e0/2
R1(config-if)#ip nat inside
R1(config)#exit
HSRP配置
3L-1(config)#int f0/5
3L-1(config-if)#no sw
3L-1(config-if)#ip add 192.168.10.1 255.255.255.0
3L-1(config-if)#no shut
3L-1(config-if)#standby 10 ip 192.168.10.254
3L-1(config-if)#no ip redirects
3L-1(config-if)#standby 10 priority 200
3L-1(config-if)#standby 10 preempt
3L-1(config-if)#exit
3L-1(config)#exit
3L-2(config)#int f0/5
3L-2(config-if)#no sw
3L-2(config-if)#ip add 192.168.10.2 255.255.255.0
3L-2(config-if)#no shut
3L-2(config-if)#standby 10 ip 192.168.10.254
3L-2(config-if)#no ip redirects
3L-2(config-if)#standby 10 priority 150
3L-2(config-if)#exit
PVST的配置
3L-1(config)#spanning-tree vlan 1 root primary
3L-1(config)#int f0/2
3L-1(config-if)#spanning-tree vlan 2 cost 18
3L-1(config-if)#exit
3L-1(config)#exit
3L-2(config)#spanning-tree vlan 2 priority 4096
VTP的配置:
3L-1#vlan database
3L-1(vlan)#vtp domain 51cto
3L-1(vlan)#vtp server
3L-1(vlan)#vtp pruning
3L-2#vlan database
3L-2(vlan)#vtp domain 51cto
3L-2(vlan)#vtp client
3L-2(vlan)#vtp pruning
3L-2(vlan)#exit
三层交换机的配置(以3L-1为例):
3L-1(config)#int vlan 1
3L-1(config-if)#ip add 10.10.1.1 255.255.255.0
3L-1(config-if)#no shut
3L-1(config-if)#exit
3L-1(config)#int vlan 2
3L-1(config-if)#ip add 10.10.2.2 255.255.255.0
3L-1(config-if)#no shut
3L-1(config-if)#exit
3L-1(config)#router rip
3L-1(config-router)#version 2
3L-1(config-router)#network 192.168.100.0
3L-1(config-router)#network 172.16.1.0
3L-1(config-router)#network 192.168.10.0
3L-1(config-router)#network 10.10.1.0
3L-1(config-router)#network 10.10.2.0
3L-1(config-router)#no auto-summary
3L-1(config-router)#exit
3L-1(config)#exit
VPN的配置
配置IKE协商
A(config)#crypto isakmp enable
A(config)#crypto isakmp policy 1
A(config-isakmp)#hash md5
A(config-isakmp)#encryption des
A(config-isakmp)#authentication pre-share
A(config-isakmp)#exit
A(config)#crypto isakmp key wocao address 172.16.3.2
配置IPSec相关参数
A(config)#access-list 101 permit ip any any
A(config)#crypto ipsec transform-set wocao ah-md5-hmac esp-des
配置到端口应用
A(config)#crypto map wocaomap 1 ipsec-isakmp
A(config-crypto-map)#set peer 172.16.3.2
A(config-crypto-map)#set transform-set wocao
A(config-crypto-map)#match address 101
A(config-crypto-map)#exit
A(config)#int e0/3
A(config-if)#crypto map wocaomap
实验结果:
1.配置路由重分发,R2和两台三层都学到了对方的路由,但是当配置PAT后R1上的路由重分发失效,问:是不是与PAT中的访问控制列表有关系
2.配置的vpn有问题,*Mar 1 01:58:27.959: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /224.0.0.5, src_addr= 172.16.3.2, prot= 89
*Mar 1 01:59:27.975: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
是否与101访问控制列表有关系
别的没有什么问题了
SFP光模块欢迎大家到最热的网络社区鸿鹄论坛来交流
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2014-1-26 13:46:04
置顶卡
喧嚣卡
变色卡
千斤顶
楼主
