高级网络综合实战架构案例
实验拓朴描述:
1. SW1-3,SW2-3,为内部三层交换机,负责内部通向外部和内部网段之间的数据交换转发,SW3,SW4,SW5为内部接入层交换机,负责内部网络接入,R3为连接内外到外部和区域间的路由器.形成了一个内部网络结构.(区域0)
2. R4为内部区域1路由器,连接区域1内网络,R3为连接区域1到外部和内部区域0的路由器.
3. R1为远程内部网络区域2中连接内部网络和外部网络的路由器,且是连接R3和区域0配置站点到站点×××的路由器.
4. R2为互联网上路由器..连接所有内部网络.
5. 接入层3台交换机“Catalyst2950-48”汇聚层2台3层交换机“CISCO3550-48” 路由器4台cisco 2600xm。
实验相关IP配置:
1. Sw1-3三层交换机上面配置:Vlan2:192.168.1.1/24
Vlan3:192.168.4.1/24
Vlan4:192.168.5.1/24
Vlan5:192.168.6.1/24
2. Sw2-3三层交换机面配置: Vlan2:192.168.1.2/24
Vlan3:192.168.4.2/24
Vlna4:192.168.5.2/24
Vlan5:192.168.6.2/24
3. HSRP虚拟地址: Vlan2:192.168.1.254.
Vlan3:192.168.4.254.
Vlan4:192.168.5.254.
Vlan5:192.168.6.254.
4. ×××两端虚拟隧道地址: R3:1.1.1.1/24
R1:1.1.1.2/24
5.NAT采用端口复用地址转换。“S0/1”
实验相关协议简介:
1. VTP协议:VLAN中继协议(VTP,VLAN TRUNKING PROTOCOL)是CISCO专 用协议,大多数交换机都支持该协议.VTP负责在VTP域内同步VLAN信息,这样就不必在每个交换上配置相同的VLAN信息.
2. STP协议:STP(Spanning Tree Protocol)是生成树协议的英文缩写。该协议可应用于环路网络,通过一定的算法实现路径冗余,同时将环路网络修剪成无环路的树型网络,从而避免报文在环路网络中的增生和无限循环。
3. OSPF协议:OSPF(Open Shortest Path First)是一个内部网关协议(Interior Gateway Protocol,简称IGP),用于在单一自治系统(autonomous system,AS)内决策路由。与RIP相对,OSPF是链路状态路由协议,而RIP是距离向量路由协议。(外部网关协议为:Exterior Gateway,Protocols EGP)
4. HSRP协议:HSRP:热备份路由器协议(HSRP:Hot Standby Router Protocol,热备份路由器协议(HSRP)的设计目标是支持特定情况下 IP 流量失败转移不会引起混乱、并允许主机使用单路由器,以及即使在实际第一跳路由器使用失败的情形下仍能维护路由器间的连通性。换句话说,当源主机不能动态知道第一跳路由器的 IP 地址时,HSRP 协议能够保护第一跳路由器不出故障。该协议中含有多种路由器,对应一个虚拟路由器。HSRP 协议只支持一个路由器代表虚拟路由器实现数据包转发过程。终端主机将它们各自的数据包转发到该虚拟路由器上。负责转发数据包的路由器称之为主动路由器(Active Router)。一旦主动路由器出现故障,HSRP 将激活备份路由器(Standby Routers)取代主动路由器。HSRP 协议提供了一种决定使用主动路由器还是备份路由器的机制,并指定一个虚拟的 IP 地址作为网络系统的缺省网关地址。如果主动路由器出现故障,备份路由器(Standby Routers)承接主动路由器的所有任务,并且不会导致主机连通中断现象,HSRP 运行在 UDP 上,采用端口号1985。路由器转发协议数据包的源地址使用的是实际 IP 地址,而并非虚拟地址,正是基于这一点,HSRP 路由器间能相互识别.
5. NAT协议: NAT英文全称是“Network Address Translation”,中文意思是“网络地址转换”,它是一个IETF(Internet Engineering Task Force, Internet工程任务组)标准,允许一个整体机构以一个公用IP(Internet Protocol)地址出现在Internet上。顾名思义,它是一种把内部私有网络地址(IP地址)翻译成合法网络IP地址的技术。
6. ×××协议:×××的英文全称是“Virtual Private Network”,翻译过来就是“虚拟专用网络”。顾名思义,虚拟专用网络我们可以把它理解成是虚拟出来的企业内部专线,虚拟专用网(×××)被定义为通过一个公用网络(通常是因特网)建立一个临时的、安全的连接,是一条穿过混乱的公用网络的安全、稳定的隧道。
实验目标:
1. 通过网络拓朴结构配置VTP协议,STP生成树协议使内部网络具有高效而稳定的性能,从而对链路形成冗余功能,
2. 在不同区域中启用OSPF链路状态路由协议,使网络互通.
3. 通过配置HSRP热备份路由协议,确保边缘设备出现故障时,用户可正常工作.
4. 在R3上面配置NAT端口地址复用转换是内部指定网络可以访问外部网络.
5. 在R1和R3上面配置站点TO站点××× ,使两个站点内部网络可以安全互通.
6. 通过以上的配置形成一个高效,稳定的,安全的,且有冗余功能的网络结构.
实验步骤详解:
配置前相关设置:(如要设备是新的则不用配置)
#Clear line 1---8 清除指定线路(8脚线)
#erase statup-config 清除配置。
#reload 重启设备,
#show flash: 查看之前的vlans配置数据库。
#delete flash:vlan.dat 删除之前的vlan配置数据库。
1.配置VTP:
sw1-3(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw1-3(vlan)#vtp server
Device mode already VTP SERVER.
sw1-3(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw1-3(vlan)#vtp v2-mode
V2 mode enabled.
sw1-3(vlan)#vtp pruning
Pruning switched ON
sw2-3(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw2-3(vlan)#vtp domain server
Changing VTP domain name from test to server
sw2-3(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw2-3(vlan)#vtp v2-mode
V2 mode enabled.
sw2-3(vlan)#vtp pruning
Pruning switched ON
sw3(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw3(vlan)#vtp client
Setting device to VTP CLIENT mode.
sw3(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw4(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw4(vlan)#vtp client
Setting device to VTP CLIENT mode.
sw4(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw4(vlan)#exit
sw5(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw5(vlan)#vtp client
Setting device to VTP CLIENT mode.
sw5(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw1-3#show vtp status
VTP Version : 2
Configuration Revision : 5
Maximum VLANs supported locally : 256
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x2B 0xF6 0xD8 0xE3 0x28 0x13 0x8F 0xC4
Configuration last modified by 0.0.0.0 at 3-1-02 00:15:38
Local updater ID is 192.168.1.1 on interface Vl2 (lowest numbered VLAN interface found)
2.TRUNK配置:
sw1-3(config)#in range f0/14 - 15
sw1-3(config-if-range)#switchport mode trunk
sw1-3(config-if-range)#no sh
sw1-3(config)#in range f0/1 - 3
sw1-3(config-if-range)#switchport mode trunk
sw1-3(config-if-range)#no sh
sw2-3(config)#in range f0/14 - 15
sw2-3(config-if-range)#switchport mode trunk
sw2-3(config-if-range)#no sh
sw2-3(config)#in range f0/1 - 3
sw2-3(config-if-range)#switchport mode trunk
sw2-3(config-if-range)#no sh
sw3(config)#in range f0/1 - 2
sw3(config-if-range)#switchport mode trunk
sw3(config-if-range)#no sh
sw4(config)#in range f0/1 - 2
sw4(config-if-range)#switchport mode trunk
sw4(config-if-range)#no sh
sw5(config)#in range f0/1 - 2
sw5(config-if-range)#switchport mode trunk
sw5(config-if-range)#no sh
sw1-3#show interfaces trunk 测试
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/14 on 802.1q trunking 1
Fa0/15 on 802.1q trunking 1
3.VLAN 配置:
sw1-3#vlan da
sw1-3(vlan)#vlan 2 name v2
VLAN 2 added:
Name: v2
sw1-3(vlan)#apply
APPLY completed.
sw1-3(vlan)#vlan 3 name v3
VLAN 3 added:
Name: v3
sw1-3(vlan)#apply
APPLY completed.
sw1-3(vlan)#vlan 4 name v4
VLAN 4 added:
Name: v4
sw1-3(vlan)#apply
APPLY completed.
sw1-3(vlan)#vlan 5 name v5
VLAN 5 added:
Name: v5
sw1-3(vlan)#apply
APPLY completed.
sw1-3#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
sw2-3#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
sw3#show vlan-switch 测试客户端是否学到VLAN
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
sw4#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
w5#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
4.开启以太网通道:
w1-3(config)#in range f0/14 - 15
sw1-3(config-if-range)#channel-group 1 mode on
sw1-3#show ip in br
Port-channel1 unassigned YES unset up up
sw2-3(config)#in range f0/14 - 15
sw2-3(config-if-range)#channel-group 1 mode on
sw2-3#show ip in br
Interface IP-Address OK? Method Status
Port-channel1 unassigned YES unset up up
5.配置STP生成协议:
将SWITCH1配置为VLAN3、VLAN5的根桥,VLAN2、VLAN4的次根桥
将SWITCH2配置为VLAN2、VLAN4的根桥,VLAN3、VLAN5的次根桥
sw1-3(config)#spanning-tree vlan 3 root primary
sw1-3(config)#spanning-tree vlan 5 root primary
sw1-3(config)#spanning-tree vlan 2 root secondary
sw1-3(config)#spanning-tree vlan 4 root secondary
sw2-3(config)#spanning-tree vlan 2 root primary
sw2-3(config)#spanning-tree vlan 4 root primary
sw2-3(config)#spanning-tree vlan 5 root secondary
sw2-3(config)#spanning-tree vlan 3 root secondary
6.验证STP配置
Sw3(config)#show spanning-tree br
VLAN2
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0001 128.2
FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0001 128.2
VLAN3
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0002 128.2
FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0002 128.2
VLAN4
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0003 128.2
FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0003 128.2
VLAN5
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0004 128.2
FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0004 128.2
7.配置路由接口:
sw1-3(config)#in f0/0
sw1-3(config-if)#no switchport 关闭接×××换功能
sw1-3(config-if)#ip add 192.168.10.2 255.255.255.252
sw1-3(config-if)#no sh
sw2-3(config)#in f0/0
sw2-3(config-if)#no switchport
sw2-3(config-if)#ip add 192.168.10.6 255.255.255.252
sw2-3(config-if)#no sh
8.路由相关IP配置:
r3#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 192.168.10.9 YES manual up up
Serial0/1 202.0.0.1 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
FastEthernet1/0 192.168.10.1 YES manual up up
FastEthernet2/0 192.168.10.5 YES manual up up
r4#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 192.168.10.10 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback0 6.6.6.6 YES manual up up
r2#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 201.0.0.1 YES manual up up
Serial0/1 202.0.0.2 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
r1#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 201.0.0.1 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback0 7.7.7.7 YES manual up up
sw1-3#show ip in br
Protocol
Vlan2 192.168.1.1 YES manual up up
Vlan3 192.168.4.1 YES manual up up
Vlan4 192.168.5.1 YES manual up up
Vlan5 192.168.6.1 YES manual up up
sw1-3#
sw2-3#show ip in br
Protocol
Vlan2 192.168.1.2 YES manual up up
Vlan3 192.168.4.2 YES manual up up
Vlan4 192.168.5.2 YES manual up up
Vlan5 192.168.6.2 YES manual up up
9.OSPF配置
sw1-3(config)#ip routing 启动路由功能
sw1-3(config)#router ospf 100
sw1-3(config-router)#network 192.168.10.2 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.1.1 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.4.1 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.5.1 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.6.1 0.0.0.0 area 0
sw2-3(config)#router ospf 100
sw2-3(config-router)#network 192.168.10.6 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.1.2 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.4.2 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.5.2 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.6.2 0.0.0.0 area 0
sw1-3#show ip route 测试
O 192.168.10.4/30 [110/2] via 192.168.6.2, 00:39:43, Vlan5
[110/2] via 192.168.5.2, 00:39:43, Vlan4
[110/2] via 192.168.4.2, 00:39:43, Vlan3
[110/2] via 192.168.1.2, 00:39:43, Vlan2
sw2-3#show ip route
O 192.168.10.0 [110/2] via 192.168.6.1, 00:00:35, Vlan5
[110/2] via 192.168.5.1, 00:00:35, Vlan4
[110/2] via 192.168.4.1, 00:00:35, Vlan3
[110/2] via 192.168.1.1, 00:00:35, Vlan2
r3(config)#router ospf 100
r3(config-router)#network 192.168.10.1 0.0.0.0 area 0
r3(config-router)#network 192.168.10.5 0.0.0.0 area 0
r3(config-router)#network 192.168.10.9 0.0.0.0 area 1
r3(config)#ip route 0.0.0.0 0.0.0.0 202.0.0.2 配置静态缺省路由,是之能够访问外部网络。
r3(config)#router ospf 100
r3(config-router)#default-information originate 向连接在自己上面的内部末梢网络路由器宣告一个出向外部的缺省路由(此命令用于末梢网络)
r4(config)#router ospf 100
r4(config-router)#network 192.168.10.10 0.0.0.0 area 1
r4(config-router)#network 6.6.6.6 0.0.0.0 area 1
测试(default-intormation originate 命令的结果)
r4#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0 去向外部的缺省路由
sw1-3#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:00:28, FastEthernet0/0 去向外部的缺省路由
sw2-3#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.5, 00:03:01, FastEthernet0/0 去向外部的缺省路由
r1(config)#router ospf 100
r1(config-router)#network 7.7.7.7 0.0.0.0 area 2
r1(config)#ip route 0.0.0.0 0.0.0.0 201.0.0.2
r3#show ip route 测试
6.0.0.0/32 is subnetted, 1 subnets
O 6.6.6.6 [110/65] via 192.168.10.10, 11:19:33, Serial0/0
O 192.168.4.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
O 192.168.5.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
O 192.168.6.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
O 192.168.1.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 202.0.0.2
r4#show ip route
192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks
O IA 192.168.10.0/30 [110/65] via 192.168.10.9, 00:48:10, Serial0/0
O IA 192.168.10.4/30 [110/65] via 192.168.10.9, 13:45:10, Serial0/0
O 192.168.10.8/30 [110/128] via 192.168.10.9, 13:45:10, Serial0/0
7.0.0.0/32 is subnetted, 1 subnets
O IA 7.7.7.7 [110/11176] via 192.168.10.9, 11:22:27, Serial0/0
O IA 192.168.4.0/24 [110/66] via 192.168.10.9, 01:31:50, Serial0/0
O IA 192.168.5.0/24 [110/66] via 192.168.10.9, 01:31:40, Serial0/0
O IA 192.168.6.0/24 [110/66] via 192.168.10.9, 01:31:17, Serial0/0
O IA 192.168.1.0/24 [110/66] via 192.168.10.9, 01:32:05, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0
r2#show ip route
C 201.0.0.0/24 is directly connected, Serial0/0
C 202.0.0.0/24 is directly connected, Serial0/1
r1#show ip route
C 201.0.0.0/24 is directly connected, Serial0/0
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 201.0.0.2
sw1-3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1 150 防止路由条目斗动,多添加一条缺省路目条目,当刚才那条路由条目故障时,则用这条。OK状态下是看不到那条目的。
sw2-3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.5 150 防止路由条目斗动
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.9 150 防止路由条目斗动
10.HSRP热备份路由协议配置:
sw1-3(config)#in vlan 2
sw1-3(config-if)#no ip redirects 关闭端口重定向。
sw1-3(config-if)#standby 50 ip 192.168.1.254 配置 HSRP 成员
sw1-3(config-if)#standby 50 priority 150 优先级为 150
sw1-3(config-if)#standby 50 preempt 配置占先权
sw1-3(config)#in vlan 3
sw1-3(config-if)#standby 47 ip 192.168.4.254 配置 HSRP 成员
sw1-3(config-if)#standby47 priority 200 优先级为 200
sw1-3(config-if)#no ip redirects 关闭端口重定向。
sw1-3(config-if)#standby 47 preempt 配置占先权
sw1-3(config-if)#standby 47 track f0/0 100 配置端口跟踪
sw1-3(config)#in vlan 4
ssw1-3(config-if)#standby 51 ip 192.168.5.254
sw1-3(config-if)#standby 51 priority 150
sw1-3(config-if)#standby 51 preempt
sw1-3(config-if)#no ip redirects
sw1-3(config)#in vlan 5
sw1-3(config-if)#no ip redirects
sw1-3(config-if)#standby 48 ip 192.168.6.254
sw1-3(config-if)#standby48 priority 200
sw1-3(config-if)#standby48 preempt
sw1-3(config-if)#standby 48 track f0/0 100
sw2-3(config)#in vlan 3
sw2-3(config-if)#standby 47ip 192.168.4.254
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 47 priority 150
sw2-3(config-if)#standby 47 preempt
sw2-3(config)#in vlan 2
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 50 ip 192.168.1.254
sw2-3(config-if)#standby 50 priority 200
sw2-3(config-if)#standby50 preempt
sw1-3(config-if)#standby 50 track f0/0 100
sw2-3(config)#in vlan 4
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 51 ip 192.168.5.254
sw2-3(config-if)#standb 51 priority 200
sw2-3(config-if)#standby 51 preempt
sw1-3(config-if)#standby 51 track f0/0 100
sw2-3(config)#in vlan 5
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 48ip 192.168.6.254
sw2-3(config-if)#standb 48 priority 150
sw2-3(config-if)#standb 48 preempt
sw1-3#debug standby 查看配置结果 (方法1)
sw1-3# show standby br 查看配置结果(方法2)
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254
Vl3 47 200 P Active local 192.168.4.2 192.168.4.254
Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254
Vl5 48 200 P Active local 192.168.6.2 192.168.6.254
sw2-3#show standby br
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 200 P Active local 192.168.1.1 192.168.1.254
Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254
Vl4 51 200 P Active local 192.168.5.1 192.168.5.254
Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254
sw1-3(config)#in f0/0
sw1-3(config-if)#sh 关闭跟踪接口.测试主备间的转换
sw1-3(config)#do show stan br
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254
Vl3 47 100 P Standby 192.168.4.2 local 192.168.4.254
Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254
Vl5 48 100 P Standby 192.168.6.2 local 192.168.6.254
sw2-3#show standby br
|
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 200 P Active local 192.168.1.1 192.168.1.254
Vl3 47 150 P Active local 192.168.4.1 192.168.4.254
Vl4 51 200 P Active local 192.168.5.1 192.168.5.254
Vl5 48 150 P Active local 192.168.6.1 192.168.6.254
sw1-3(config)#in f0/0
sw1-3(config-if)#no sh 二次启动跟踪端口,
sw1-3# show standby br 查看配置结果
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254
Vl3 47 200 P Active local 192.168.4.2 192.168.4.254
Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254
Vl5 48 200 P Active local 192.168.6.2 192.168.6.254
sw2-3#show standby br
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 200 P Active local 192.168.1.1 192.168.1.254
Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254
Vl4 51 200 P Active local 192.168.5.1 192.168.5.254
Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254
测试成功:
12.NAT配置(端口复用)
方法1:
r3(config)#access-list 1 permit 192.168.0.0 0.0.255.255 设置感兴趣的流量
r3(config)#route-map fornat permit 10 建路由策略优先级10
r3(config-route-map)#match ip add 1 抓取列表1的流量。
r3(config)#ip nat inside source route-map fornat interface s0/1 overload NAT端口复用转换
方法2:
r3(config)#access-list 1 permit 192.168.0.0 0.0.255.255
r3(config)#ip nat inside source list 1 interface s0/1 overload
r3(config)#in s0/1
r3(config-if)#ip nat outside
r3(config)#in s0/0
r3(config-if)#ip nat inside
r3(config)#in f1/0
r3(config-if)#ip nat inside
r3(config)#in f2/0
r3(config-if)#ip nat inside
sw2-3#ping 201.0.0.1 source 192.168.1.2 测试NAT配置结果
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/193/292 ms
r3#show ip nat translations NAT转换分析
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:4 192.168.1.2:4 201.0.0.1:4 201.0.0.1:4
sw1-3#ping 201.0.0.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 156/200/312 ms
r3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:19 192.168.1.1:19 201.0.0.1:19 201.0.0.1:19
r4#ping 201.0.0.1 source 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/208/284 ms
r3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:17 192.168.10.10:17 201.0.0.1:17 201.0.0.1:17
13.×××站点到站点配置:
r3(config)#crypto isakmp enable 启动IKE协商
r3(config)#crypto isakmp policy 10 建立编号为"10"的IKE协商策略
r3(config-isakmp)#hash md5 配置密码认证的方法为"md5"
r3(config-isakmp)#authentication pre-share 配置路由器使用预先共享的密钥.
r3(config-isakmp)#encryption des 配置加密所使用的算法."DES
r3(config)#crypto isakmp key 0 qqq111,,, address 201.0.0.1 配置安全连接对端的要使的密码和对端IP地址。
r3(config)#crypto ipsec transform-set for*** esp-des esp-md5-hmac (配置IPSec 将同时使用AH和ESP协议,使用传输模式名称为"for***",其中AH的验证采用MD5的算法,ESP加密采用DES的算法.(AH只能验证,不能加密,而ESP能加密,还能验证,但功能,比AH差一些.)
r3(cfg-crypto-trans)#exit
r3(config)#crypto ipsec profile site2site 指定sitetosit用上面所配置密码钥匙扣协商
r3(ipsec-profile)#set transform-set for*** 指定使用传输模式
r3(ipsec-profile)#exit
r3(config)#in tunnel 0 进入虚拟隧道 0
r3(config-if)#ip add 1.1.1.1 255.255.255.0 配置IP地址。
r3(config-if)#tunnel source s0/1 虚拟隧道原接口
r3(config-if)#tunnel destination 201.0.0.1 虚拟隧道目标地址。
r3(config-if)#tunnel protection ipsec profile site2site 此隧道应用于“site2site”
r3(config-if)#no sh
r3(config)#router ospf 100 宣告此地址。
r3(config-router)# network 1.1.1.1 0.0.0.0 area 2
r3#show ip in br
Tunnel0 1.1.1.1 YES manual up up
r1(config)#crypto isakmp enable
r1(config)#crypto isakmp policy 10
r1(config-isakmp)#hash md5
r1(config-isakmp)#authentication pre-share
r1(config-isakmp)#encryption des
r1(config)#crypto isakmp key 0 qqq111,,, address 202.0.0.1
r1(config)#crypto ipsec transform-set for*** esp-des esp-md5-hmac
r1(cfg-crypto-trans)#exit
r1(config)#crypto ipsec profile site2site
r1(ipsec-profile)#set transform-set for***
r1(ipsec-profile)#exit
r1(config)#in tunnel 0
r1(config-if)#ip add 1.1.1.2 255.255.255.0
r1(config-if)#tunnel source s0/0
r1(config-if)#tunnel destination 202.0.0.1
r1(config-if)#tunnel protection ipsec profile site2site
r1(config-if)#no hs
r1(config)#router ospf 100
r1(config-router)#network 1.1.1.2 0.0.0.0 area 2
r1(config-router)#exit
r1#show ip route 测试学习到的路由
O IA 192.168.10.0/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0通虚拟隧道学习到的路由条目,
O IA 192.168.10.0/24 [110/11239] via 1.1.1.1, 00:00:11, Tunnel0
O IA 192.168.10.4/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0
O IA 192.168.10.8/30 [110/11175] via 1.1.1.1, 00:00:11, Tunnel0
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/11176] via 1.1.1.1, 00:00:11, Tunnel0
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback0
O IA 192.168.4.0/24 [110/11113] via 1.1.1.1, 01:43:30, Tunnel0
O IA 192.168.5.0/24 [110/11113] via 1.1.1.1, 01:43:21, Tunnel0
O IA 192.168.6.0/24 [110/11113] via 1.1.1.1, 01:42:58, Tunnel0
O IA 192.168.1.0/24 [110/11113] via 1.1.1.1, 01:43:46, Tunnel0
S* 0.0.0.0/0 [1/0] via 201.0.0.2
r1#show crypto engine connections active 显示活跃的数据信息
ID Interface IP-Address State Algorithm Encrypt Decryp
1 Tunnel0 1.1.1.2 set HMAC_MD5+DES_56_CB 0 0
2001 Tunnel0 201.0.0.1 set DES+MD5 0 46
2002 Tunnel0 201.0.0.1 set DES+MD5 42 0
以上表明×××配置成功。
r3#show ip route
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/11112] via 1.1.1.2, 06:24:09, Tunnel0
sw1-3#ping 7.7.7.7 source 192.168.1.1 测×××配置是否成功,
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/402/584 ms
r4#ping 7.7.7.7 source 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/340/448 ms
r3#show ip nat translations 查看NAT转换分析列表
r3#
注意:以上情况看出×××是成功,NAT转换分析列表没有内容显示,那是因为ping包是经过虚拟隧道联通的,而不经过NAT联通。
sw1-3#ping 201.0.0.1 source 192.168.1.1 测试配置×××后,内网访问外网的情况
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/276/400 ms
r3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:21 192.168.1.1:21 201.0.0.1:21 201.0.0.1:21
注意:以上测试表明×××配置成功后,和NAT 互不影响,站点内部通信过安全虚拟隧道×××,而内部网络访问外部互联网经NAT转换,达到了一种安全高效的网络结构.
以上配置的×××还有一个特点,当两个站点内部网络有了新的网段时,只需将新的网段进行宣告,对端将会很快学到路由条目,从而确保两个站点内部网络所有网段连通性.如下所示:R1所连接的网络在配置×××后,又新建了一个网段,现在也在让它能和对端内部网络安全通信.配置如下:
r1(config)#in lo1 配置
r1(config-if)#ip add 2.2.2.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#router ospf 100 宣告
r1(config-router)#network 2.2.2.2 0.0.0.0 area 2
sw1-3# show ip route 查看
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/11113] via 192.168.10.1, 06:56:05, FastEthernet0/0
sw1-3#ping 2.2.2.2 source 192.168.1.1 测试
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.254
!!!!! 成功
Success rate is 100 percent (5/5), round-trip min/avg/max = 332/388/496 ms