网络拓扑图
一、保证全网互通
1.1、使直连互通(192.168.1.1->192.168.1.2)
RT1配置:
为路由配置ip地址: [RT1]int G0/0/1
[RT1-GigabitEthernet0/0/1]ip add 192.168.1.1 24 [RT1-GigabitEthernet0/0/1]int G0/0/2
[RT1-GigabitEthernet0/0/2]ip add 192.168.3.1 24 SW1配置:
为交换机配置IP地址(交换机的地址需要在先换分vlan然后在vlan中配置) 划分Vlan: [SW1]vlan 1000
[SW1-vlan1000]vlan 1001 [SW1-vlan1001]vlan 10
[SW1-vlan10]vlan 20 [SW1-vlan20]vlan 30
进入Vlan配置IP地址: Vlan1000:
[SW1]int vlan 1000
[SW1-Vlan-interface1000]ip add 192.168.1.2 24 Vlan1001:
[SW1]int vlan 1001
[SW1-Vlan-interface1001]ip add 192.168.2.1 24
使Vlan属于某个端口: [SW1]int E0/4/0
[SW1-Ethernet0/4/0]port access vlan 1000
测试结果:
[SW1-Ethernet0/4/0]ping -a 192.168.1.2 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=44 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=5 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=15 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=20 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=15 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 5/19/44 ms
1.2、使直连互通(192.168.3.1->192.168.3.2)
SW2配置: 划分Vlan
[SW2]vlan 1000
[SW2-vlan1000]vlan 1001 [SW2-vlan1001]vlan 10 [SW2-vlan10]vlan 20 [SW2-vlan20]vlan 30
进入Vlan配置IP地址: Vlan1000:
[SW2-vlan30]int vlan 1000
[SW2-Vlan-interface1000]ip add 192.168.3.2 24 Vlan1001:
[SW2-Vlan-interface1000]int vlan 1001
[SW2-Vlan-interface1001]ip add 192.168.2.2 24
使Vlan属于某个端口:
[SW2-Ethernet0/4/0]port access vlan 1000
测试结果:
[SW2-Ethernet0/4/0]ping -a 192.168.3.2 192.168.3.1
PING 192.168.3.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=255 time=50 ms Reply from 192.168.3.1: bytes=56 Sequence=2 ttl=255 time=24 ms Reply from 192.168.3.1: bytes=56 Sequence=3 ttl=255 time=30 ms Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=255 time=4 ms Reply from 192.168.3.1: bytes=56 Sequence=5 ttl=255 time=20 ms --- 192.168.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 4/25/50 ms
1.3、链路聚合(192.168.2.1->192.168.2.2)
SW1配置:
[SW1]int Bridge-Aggregation 1
[SW1]int E0/4/2
[SW1-Ethernet0/4/2]port link-aggregation group 1 [SW1-Ethernet0/4/2]int e0/4/1
[SW1-Ethernet0/4/1]port link-aggregation group 1
[SW1]int Bridge-Aggregation 1
[SW1-Bridge-Aggregation1]port link-type trunk
[SW1-Bridge-Aggregation1]port trunk permit vlan 1001
SW2配置:
[SW2]interface Bridge-Aggregation 1
[SW2]int E0/4/1
[SW2-Ethernet0/4/1]port link-aggregation group 1 [SW2-Ethernet0/4/1]int E0/4/2
[SW2-Ethernet0/4/2]port link-aggregation group 1
[SW2]int Bridge-Aggregation 1
[SW2-Bridge-Aggregation1]port link-type trunk
[SW2-Bridge-Aggregation1]port trunk permit vlan 1001
测试结果:
[SW1-Bridge-Aggregation1]ping -a 192.168.2.1 192.168.2.2 PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=255 time=340 ms Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=255 time=174 ms Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=255 time=174 ms Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=255 time=154 ms Request time out
--- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss
round-trip min/avg/max = 154/210/340 ms
1.4、将Vlan 10、Vlan 20、Vlan 30设置到相应端口:
SW1配置:
[SW1]int vlan 10
[SW1-Vlan-interface10]ip add 10.0.0.1 24 [SW1-Vlan-interface20]int vlan 30 [SW1-Vlan-interface30]ip add 30.0.0.1 24
[SW1-Vlan-interface30]int E0/4/3 [SW1-Ethernet0/4/3]port access vlan 30
[SW1-Ethernet0/4/3]int E0/4/4
[SW1-Ethernet0/4/4]port access vlan 10
SW2配置: [SW2]int vlan 20
[SW2-Vlan-interface20]ip add 20.0.0.1 24
[SW2-Vlan-interface20]int E0/4/3
[SW2-Ethernet0/4/3]port access vlan 20
1.5、设置OSPF:
SW1:
[SW1]ospf 1
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 [SW1-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255 [SW1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255 [SW1-ospf-1-area-0.0.0.0]network 30.0.0.0 0.0.0.255
查看配置
[SW1-ospf-1-area-0.0.0.0]dis th #
area 0.0.0.0
network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 10.0.0.0 0.0.0.255 network 30.0.0.0 0.0.0.255 #
[SW1-ospf-1-area-0.0.0.0]dis ospf peer
OSPF Process 1 with Router ID 192.168.2.1 Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time Interface 192.168.3.1 192.168.1.1 1 28 Vlan1000 192.168.3.2 192.168.2.2 1 36 Vlan1001
SW2:
[SW2]ospf 1
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255 [SW2-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
查看配置:
[SW2-ospf-1-area-0.0.0.0]dis th #
area 0.0.0.0
network 192.168.3.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 20.0.0.0 0.0.0.255
State
Full/DR Full/BDR #
[SW2-ospf-1-area-0.0.0.0]dis ospf peer
OSPF Process 1 with Router ID 192.168.3.2 Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time Interface State
192.168.3.1 192.168.3.1 1 36 Vlan1000 Full/DR 192.168.2.1 192.168.2.1 1 30 Vlan1001 Full/DR
[SW2-ospf-1-area-0.0.0.0]dis ip routing-table Routing Tables: Public
Destinations : 7 Routes : 8
Destination/Mask Proto Pre Cost NextHop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 OSPF 10 2 192.168.3.1 Vlan1000 OSPF 10 2 192.168.2.1 Vlan1001 192.168.2.0/24 Direct 0 0 192.168.2.2 Vlan1001 192.168.2.2/32 Direct 0 0 127.0.0.1 InLoop0 192.168.3.0/24 Direct 0 0 192.168.3.2 Vlan1000 192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0
测试结果:
[SW2-Ethernet0/4/3]ping -a 20.0.0.1 30.0.0.1
PING 30.0.0.1: 56 data bytes, press CTRL_C to break
Reply from 30.0.0.1: bytes=56 Sequence=1 ttl=255 time=130 ms Reply from 30.0.0.1: bytes=56 Sequence=2 ttl=255 time=155 ms Reply from 30.0.0.1: bytes=56 Sequence=3 ttl=255 time=164 ms Reply from 30.0.0.1: bytes=56 Sequence=4 ttl=255 time=185 ms Reply from 30.0.0.1: bytes=56 Sequence=5 ttl=255 time=164 ms --- 30.0.0.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 130/159/185 ms RT1:
[RT1]ospf 1
[RT1-ospf-1]area 0
[RT1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 [RT1-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
二、接入外网 2.1、设置ACL:
RT1:
为RT1添加IP地址:
[RT1-GigabitEthernet0/0/0]ip add 14.0.0.1 24
为RT1设置ACL
[RT1]acl number 2000
[RT1-acl-basic-2000]rule permit source 10.0.0.1 0.0.0.255 [RT1-acl-basic-2000]rule permit source 20.0.0.1 0.0.0.255 [RT1-acl-basic-2000]int G0/0/0
[RT1-GigabitEthernet0/0/0]nat outbound 2000
2.2、设置静态路由
SW1:
[SW1]ip route-static 14.0.0.0 255.255.255.0 192.168.1.1
测试结果:
[SW1]ping -a 10.0.0.1 14.0.0.2
PING 14.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 14.0.0.2: bytes=56 Sequence=1 ttl=254 time=40 ms Reply from 14.0.0.2: bytes=56 Sequence=2 ttl=254 time=30 ms Reply from 14.0.0.2: bytes=56 Sequence=3 ttl=254 time=5 ms Reply from 14.0.0.2: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 14.0.0.2: bytes=56 Sequence=5 ttl=254 time=5 ms --- 14.0.0.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 5/22/40 ms SW2:
[SW2]ip route-static 14.0.0.0 255.255.255.0 192.168.3.1
测试结果:
[SW2]ping -a 20.0.0.1 14.0.0.2
PING 14.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 14.0.0.2: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 14.0.0.2: bytes=56 Sequence=2 ttl=254 time=15 ms
Reply from 14.0.0.2: bytes=56 Sequence=3 ttl=254 time=30 ms Reply from 14.0.0.2: bytes=56 Sequence=4 ttl=254 time=24 ms Reply from 14.0.0.2: bytes=56 Sequence=5 ttl=254 time=30 ms --- 14.0.0.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 4/20/30 ms
2.3、为RT2配置IP地址
[RT2]int G0/0/0
[RT2-GigabitEthernet0/0/0]ip add 14.0.0.2 24
三、公网互通
TR1:
[RT1]int G0/0/3
[RT1-GigabitEthernet0/0/3]ip add 12.0.0.1 24
[RT1]ip route-static 23.0.0.0 255.255.255.0 12.0.0.2 RT3:
建IP地址: [RT3]int G0/0/0
[RT3-GigabitEthernet0/0/0]ip add 12.0.0.2 24 [RT3-GigabitEthernet0/0/0]int G0/0/1
[RT3-GigabitEthernet0/0/1]ip add 23.0.0.2 24 RT4:
[RT4]int G0/0/0
[RT4-GigabitEthernet0/0/0]ip add 23.0.0.3 24 [RT4-GigabitEthernet0/0/0]int G0/0/1
[RT4-GigabitEthernet0/0/1]ip add 40.0.0.1 24 [RT4-GigabitEthernet0/0/1]qu
[RT4]ip route-static 12.0.0.1 255.255.255.0 23.0.0.2
测试结果:
[RT1]ping -a 12.0.0.1 23.0.0.3
PING 23.0.0.3: 56 data bytes, press CTRL_C to break
Reply from 23.0.0.3: bytes=56 Sequence=1 ttl=254 time=21 ms Request time out Request time out
Reply from 23.0.0.3: bytes=56 Sequence=4 ttl=254 time=10 ms Reply from 23.0.0.3: bytes=56 Sequence=5 ttl=254 time=10 ms --- 23.0.0.3 ping statistics --- 5 packet(s) transmitted 3 packet(s) received 40.00% packet loss
round-trip min/avg/max = 10/13/21 ms
四、建IPSEC、VPN
建立ipsec和VPN
RT4
创建acl
[RT4]acl number 3000
[RT4-acl-adv-3000]rule permit ip source 40.0.0.0 0.0.0.255 destination 30.0.0.0 0.0.0.255 创建ipsec proposal(安全提议) [RT4]ipsec proposal r1
[RT4-ipsec-proposal-r1]transform esp
[RT4-ipsec-proposal-r1]esp authentication-algorithm sha1 [RT4-ipsec-proposal-r1]esp encryption-algorithm 3des [RT4-ipsec-proposal-r1]encapsulation-mode tunnel 创建ike
[RT4]ike peer r3
[RT4-ike-peer-r3]pre-shared-key 123
[RT4-ike-peer-r3]remote-address 12.0.0.1 创建ips policy(创建IP安全策略) [RT4]ips policy 1 10 isakmp
[RT4-ipsec-policy-isakmp-1-10]security acl 3000 [RT4-ipsec-policy-isakmp-1-10]ike-peer r3 [RT4-ipsec-policy-isakmp-1-10]proposal r1
将安全策略应用到指定端口 [RT4]int g0/0/0
[RT4-GigabitEthernet0/0/0]ipsec policy 1 RT1: 创建acl
[RT1]acl number 3000
[RT1-acl-adv-3000]rule permit ip source 30.0.0.0 0.0.0.255 destination 40.0.0.0 0.0.0.255 创建ipsec proposal(安全提议) [RT1]ipsec proposal r1
[RT1-ipsec-proposal-r1]transform esp
[RT1-ipsec-proposal-r1]esp encryption-algorithm 3des
[RT1-ipsec-proposal-r1]encapsulation-mode tunnel 创建ike
[RT1]ike peer r3
[RT4-ike-peer-r3]pre-shared-key 123
[RT1-ike-peer-r3]remote-address 23.0.0.3
创建ips policy(创建IP安全策略) [RT1]ipsec policy 1 10 isakmp
[RT1-ipsec-policy-isakmp-1-10]security acl 3000 [RT1-ipsec-policy-isakmp-1-10]proposal r1 [RT1-ipsec-policy-isakmp-1-10]ike-peer r3
将安全策略应用到指定端口 [RT1]int G0/0/3
[RT1-GigabitEthernet0/0/3]ipsec policy 1
(打通OSPF与静态路由 :两种方法,由于整个网络中采用了OSPF和静态路由,所以需要使彼此之间通信) 有两种方法:
方法一:做一个静态路由:在sw1上做([SW1]ip route-static 40.0.0.0 255.255.255.0 192.168.1.1) SW1:
[SW1]ip route-static 40.0.0.0 255.255.255.0 192.168.1.1
RT4:
[RT4]ip route-static 30.0.0.0 255.255.255.0 12.0.0.1
测试结果:
[SW1]ping -a 30.0.0.1 40.0.0.1
PING 40.0.0.1: 56 data bytes, press CTRL_C to break
Reply from 40.0.0.1: bytes=56 Sequence=1 ttl=254 time=50 ms Reply from 40.0.0.1: bytes=56 Sequence=2 ttl=254 time=25 ms Reply from 40.0.0.1: bytes=56 Sequence=3 ttl=254 time=45 ms Reply from 40.0.0.1: bytes=56 Sequence=4 ttl=254 time=24 ms Reply from 40.0.0.1: bytes=56 Sequence=5 ttl=254 time=25 ms --- 40.0.0.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 24/33/50 ms
方法二:路由引入:(RT1上引入静态 [RT1]ospf 1 [RT1-ospf-1]import-route static )
[RT1]ospf 1
[RT1-ospf-1]import-route static
五、其他相关测试
测试10.0.0.1/24能否和40.0.0.1/24网段通信(不能通信满足要求) [RT1-ospf-1]undo import-route static
[RT1-ospf-1]qu [RT1]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi ----------------------------------------------------------
1 23.0.0.3 RD|ST 1 IPSEC 2 23.0.0.3 RD|ST 2 IPSEC [SW1]ping -a 10.0.0.1 40.0.0.1
PING 40.0.0.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out
--- 40.0.0.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received
100.00% packet loss
[SW1]ip route-static 40.0.0.0 255.255.255.0 192.168.1.1 [SW1]ping -a 10.0.0.1 40.0.0.1 PING 40.0.0.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out
--- 40.0.0.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
不同原因:acl中未指定(10.0.0.1/24的网段)
测试10.0.0.1/24网段和外网的联通性(能正常通信满足要求): [SW1]ping -a 10.0.0.1 14.0.0.2
PING 14.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 14.0.0.2: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 14.0.0.2: bytes=56 Sequence=2 ttl=254 time=15 ms Reply from 14.0.0.2: bytes=56 Sequence=3 ttl=254 time=5 ms Reply from 14.0.0.2: bytes=56 Sequence=4 ttl=254 time=15 ms Reply from 14.0.0.2: bytes=56 Sequence=5 ttl=254 time=30 ms --- 14.0.0.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
round-trip min/avg/max = 5/14/3
因篇幅问题不能全部显示,请点此查看更多更全内容