ENSP：BGP+IPSECVPN练习

OCEAN_scxin

已于 2024-10-06 13:11:55 修改

阅读量223

点赞数 3

文章标签：网络

于 2024-10-06 12:46:34 首次发布

本文链接：https://blog.csdn.net/2301_76845656/article/details/142705835

版权

任务要求：

总公司与分公司采用bgp传输内网路由
总公司和分公司采用vpn连接，并可以互相通信
总公司与分公司可以主动访问ISP，但ISP不允许主动访问总公司与分公司

网络设备型号：

路由器：AR2240

交换机：S3700

拓扑图

配置

在此省去ip配置过程，拓扑图已经发送到我的开源群（开源群里的拓扑图初始状态已经配好了静态IP地址，网关这些基本信息）

为AR4和AR5配置默认路由

<R4>sys
Enter system view, return user view with Ctrl+Z.
[R4]ip route-static  0.0.0.0 0.0.0.0 75.0.0.1 
-------------------
<R5>sys
Enter system view, return user view with Ctrl+Z.
[R5]
[R5]ip route-static 0.0.0.0 0.0.0.0 89.0.0.1

internet配置ospf协议

[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 75.0.0.0 0.0.0.3
[R1-ospf-1-area-0.0.0.0]network 34.0.0.0 0.0.0.3
[R1-ospf-1-area-0.0.0.0]network 16.0.0.0 0.0.0.3
------
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 13.0.0.0 0.0.0.3
[R2-ospf-1-area-0.0.0.0]network 34.0.0.0 0.0.0.3
[R2-ospf-1-area-0.0.0.0]network 70.0.0.0 0.0.0.3
-----
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 16.0.0.0 0.0.0.3
[R3-ospf-1-area-0.0.0.0]network 89.0.0.0 0.0.0.3
[R3-ospf-1-area-0.0.0.0]network 70.0.0.0 0.0.0.3

结果：

[R1]display ospf peer 

	 OSPF Process 1 with Router ID 1.1.1.1
		 Neighbors 

 Area 0.0.0.0 interface 34.0.0.1(GigabitEthernet0/0/1)'s neighbors
 Router ID: 2.2.2.2          Address: 34.0.0.2        
   State: Full  Mode:Nbr is  Master  Priority: 1
   DR: 34.0.0.1  BDR: 34.0.0.2  MTU: 0    
   Dead timer due in 29  sec 
   Retrans timer interval: 5 
   Neighbor is up for 00:02:30     
   Authentication Sequence: [ 0 ] 

		 Neighbors 

 Area 0.0.0.0 interface 16.0.0.1(GigabitEthernet0/0/2)'s neighbors
 Router ID: 3.3.3.3          Address: 16.0.0.2        
   State: Full  Mode:Nbr is  Master  Priority: 1
   DR: 16.0.0.1  BDR: 16.0.0.2  MTU: 0    
   Dead timer due in 40  sec 
   Retrans timer interval: 5 
   Neighbor is up for 00:01:20     
   Authentication Sequence: [ 0 ] 
[R1]display ip routing-table protocol ospf 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 3        Routes : 4        

OSPF routing table status : <Active>
         Destinations : 3        Routes : 4

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       13.0.0.0/30  OSPF    10   2           D   34.0.0.2        GigabitEthernet
0/0/1
       70.0.0.0/30  OSPF    10   2           D   34.0.0.2        GigabitEthernet
0/0/1
                    OSPF    10   2           D   16.0.0.2        GigabitEthernet
0/0/2
       89.0.0.0/30  OSPF    10   2           D   16.0.0.2        GigabitEthernet
0/0/2

OSPF routing table status : <Inactive>
         Destinations : 0        Routes : 0

配置BGP

#从R1得知75.0.0.2到达89.0.0.2最小开销为3，最大开销为4，因此将ebgp-max-hop设置为4

[R4]bgp 111
[R4-bgp]router-id 4.4.4.4
[R4-bgp]peer 89.0.0.2 as-number 112
[R4-bgp]peer 89.0.0.2 ebgp-max-hop 4
[R4-bgp]ipv4-family unicast
[R4-bgp-af-ipv4]peer 89.0.0.2 enable
[R4-bgp-af-ipv4]peer 89.0.0.2 next-hop-local
[R4-bgp-af-ipv4]network 172.16.0.0 24
[R4-bgp-af-ipv4]network 192.168.100.0 24
----
[R5]bgp 112
[R5-bgp]router-id 5.5.5.5
[R5-bgp]peer 75.0.0.2 as-number 111
[R5-bgp]peer 75.0.0.2 eb	
[R5-bgp]peer 75.0.0.2 ebgp-max-hop 4
[R5-bgp]ipv4-fa	
[R5-bgp]ipv4-family unicast
[R5-bgp-af-ipv4]peer 75.0.0.2 enable
[R5-bgp-af-ipv4]peer 75.0.0.2 next-hop-local
[R5-bgp-af-ipv4]network 192.168.200.0 24
#因为R4与R5的默认路由会阻止bgp路由的学习，必须设置设置静态路由
[R4]ip route-static 89.0.0.2 32 75.0.0.1
[R5]ip route-static 75.0.0.2 32 89.0.0.1

效果：

[R5]display bgp peer

 BGP local router ID : 5.5.5.5
 Local AS number : 112
 Total number of peers : 1		  Peers in established state : 1

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State Pre
fRcv

  75.0.0.2        4         111        8        7     0 00:04:35 Established    
   2
[R5]dis bgp routing-table 

 BGP Local router ID is 5.5.5.5 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete


 Total Number of Routes: 3
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   172.16.0.0/24      75.0.0.2        0                     0      111i
 *>   192.168.100.0      75.0.0.2        0                     0      111i
 *>   192.168.200.0      0.0.0.0         0                     0      i

配置IPSecVpn

设置匹配规则

[R4]acl 3001
[R4-acl-adv-3001]rule 1 permit ip source 192.168.100.0 0.0.0.255 destination 192
.168.200.0 0.0.0.255	
[R4-acl-adv-3001]rule 2 permit ip source 172.16.0.0 0.0.0.255 destination 192.16
8.200.0 0.0.0.255
-----
[R5]acl 3001
[R5-acl-adv-3001]rule 1 permit  ip source 192.168.200.0 0.0.0.255 destination 19
2.168.100.0 0.0.0.255
[R5-acl-adv-3001]rule 2 permit ip source 192.168.200.0 0.0.0.255 destination 172
.16.0.0 0.0.0.255
#只有当总公司与分公司互相访问时才使用隧道协议

R4配置

[R4]ipsec proposal VPN
[R4-ipsec-proposal-VPN]esp authentication-algorithm sha1
[R4-ipsec-proposal-VPN]quit
[R4]ipsec policy P1 10 manual	
[R4-ipsec-policy-manual-P1-10]security acl 3001
[R4-ipsec-policy-manual-P1-10]proposal VPN
[R4-ipsec-policy-manual-P1-10]tunnel remote 89.0.0.2
[R4-ipsec-policy-manual-P1-10]tunnel local 75.0.0.2
[R4-ipsec-policy-manual-P1-10]sa spi inbound esp 256
[R4-ipsec-policy-manual-P1-10]sa spi outbound esp 256
[R4-ipsec-policy-manual-P1-10]sa string-key inbound esp simple ocean
[R4-ipsec-policy-manual-P1-10]sa string-key outbound esp simple scitc
[R4-ipsec-policy-manual-P1-10]quit
[R4]int g0/0/2
[R4-GigabitEthernet0/0/2]ipsec policy P1

R5配置

[R5]ipsec proposal VPN
[R5-ipsec-proposal-VPN]esp authentication-algorithm sha1
[R5-ipsec-proposal-VPN]quit
[R5]ipsec policy P2 10 manual
[R5-ipsec-policy-manual-P2-10]security acl 3001
[R5-ipsec-policy-manual-P2-10]proposal VPN
[R5-ipsec-policy-manual-P2-10]tunnel remote 75.0.0.2 
[R5-ipsec-policy-manual-P2-10]tunnel local 89.0.0.2
[R5-ipsec-policy-manual-P2-10]sa spi  inbound esp 256
[R5-ipsec-policy-manual-P2-10]sa spi outbound esp 256
[R5-ipsec-policy-manual-P2-10]sa string-key inbound esp simple scitc
[R5-ipsec-policy-manual-P2-10]sa string-key outbound esp simple ocean 
[R5-ipsec-policy-manual-P2-10]quit
[R5]int g0/0/0
[R5-GigabitEthernet0/0/0]ipsec policy P2

配置完成后R5使用192.168.100.254地址可以成功与172.16.0.10通信、使用了隧道协议并且中间路由器并不包含172.16.0.0/24网段的的地址

中间路由器没有172.16.0.0的路由表

配置NAT

R4配置

[R4]acl 3002
[R4-acl-adv-3002]rule 1 deny ip sou 192.168.100.0 0.0.0.255 destination 192.168.
200.0 0.0.0.255
[R4-acl-adv-3002]rule 2 deny ip source 172.16.0.0 0.0.0.255 destination 192.168.
200.0 0.0.0.255
[R4-acl-adv-3002]rule 3 permit ip source 192.168.100.0 0.0.0.255
[R4-acl-adv-3002]rule 4 permit ip source 172.16.0.0 0.0.0.255 
[R4-acl-adv-3002]quit
[R4]int g0/0/2
[R4-GigabitEthernet0/0/2]nat outbound 3002

R5配置

[R5]acl 3002	
[R5-acl-adv-3002]rule 1 deny ip source 192.168.200.0 0.0.0.255 destination 192.1
68.100.0 0.0.0.255
[R5-acl-adv-3002]rule 2 deny ip source 192.168.200.0 0.0.0.255 destination 172.1
6.0.0 0.0.0.255
[R5-acl-adv-3002]rule 3 permit ip source 192.168.200.0 0.0.0.255
[R5-acl-adv-3002]quit
[R5]int g0/0/0	
[R5-GigabitEthernet0/0/0]nat outbound 3002

效果：

172.16.0.10可以ping通13.0.0.2，并且使用了转换协议，13.0.0.2不可以主动ping通172.16.0.10