任务要求:
- 总公司与分公司采用bgp传输内网路由
- 总公司和分公司采用vpn连接,并可以互相通信
- 总公司与分公司可以主动访问ISP,但ISP不允许主动访问总公司与分公司
网络设备型号:
路由器:AR2240
交换机:S3700
拓扑图
配置
在此省去ip配置过程,拓扑图已经发送到我的开源群(开源群里的拓扑图初始状态已经配好了静态IP地址,网关这些基本信息)
为AR4和AR5配置默认路由
<R4>sys
Enter system view, return user view with Ctrl+Z.
[R4]ip route-static 0.0.0.0 0.0.0.0 75.0.0.1
-------------------
<R5>sys
Enter system view, return user view with Ctrl+Z.
[R5]
[R5]ip route-static 0.0.0.0 0.0.0.0 89.0.0.1
internet配置ospf协议
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 75.0.0.0 0.0.0.3
[R1-ospf-1-area-0.0.0.0]network 34.0.0.0 0.0.0.3
[R1-ospf-1-area-0.0.0.0]network 16.0.0.0 0.0.0.3
------
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 13.0.0.0 0.0.0.3
[R2-ospf-1-area-0.0.0.0]network 34.0.0.0 0.0.0.3
[R2-ospf-1-area-0.0.0.0]network 70.0.0.0 0.0.0.3
-----
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 16.0.0.0 0.0.0.3
[R3-ospf-1-area-0.0.0.0]network 89.0.0.0 0.0.0.3
[R3-ospf-1-area-0.0.0.0]network 70.0.0.0 0.0.0.3
结果:
[R1]display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 34.0.0.1(GigabitEthernet0/0/1)'s neighbors
Router ID: 2.2.2.2 Address: 34.0.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: 34.0.0.1 BDR: 34.0.0.2 MTU: 0
Dead timer due in 29 sec
Retrans timer interval: 5
Neighbor is up for 00:02:30
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 16.0.0.1(GigabitEthernet0/0/2)'s neighbors
Router ID: 3.3.3.3 Address: 16.0.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: 16.0.0.1 BDR: 16.0.0.2 MTU: 0
Dead timer due in 40 sec
Retrans timer interval: 5
Neighbor is up for 00:01:20
Authentication Sequence: [ 0 ]
[R1]display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 3 Routes : 4
OSPF routing table status : <Active>
Destinations : 3 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
13.0.0.0/30 OSPF 10 2 D 34.0.0.2 GigabitEthernet
0/0/1
70.0.0.0/30 OSPF 10 2 D 34.0.0.2 GigabitEthernet
0/0/1
OSPF 10 2 D 16.0.0.2 GigabitEthernet
0/0/2
89.0.0.0/30 OSPF 10 2 D 16.0.0.2 GigabitEthernet
0/0/2
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
配置BGP
#从R1得知75.0.0.2到达89.0.0.2最小开销为3,最大开销为4,因此将ebgp-max-hop设置为4
[R4]bgp 111
[R4-bgp]router-id 4.4.4.4
[R4-bgp]peer 89.0.0.2 as-number 112
[R4-bgp]peer 89.0.0.2 ebgp-max-hop 4
[R4-bgp]ipv4-family unicast
[R4-bgp-af-ipv4]peer 89.0.0.2 enable
[R4-bgp-af-ipv4]peer 89.0.0.2 next-hop-local
[R4-bgp-af-ipv4]network 172.16.0.0 24
[R4-bgp-af-ipv4]network 192.168.100.0 24
----
[R5]bgp 112
[R5-bgp]router-id 5.5.5.5
[R5-bgp]peer 75.0.0.2 as-number 111
[R5-bgp]peer 75.0.0.2 eb
[R5-bgp]peer 75.0.0.2 ebgp-max-hop 4
[R5-bgp]ipv4-fa
[R5-bgp]ipv4-family unicast
[R5-bgp-af-ipv4]peer 75.0.0.2 enable
[R5-bgp-af-ipv4]peer 75.0.0.2 next-hop-local
[R5-bgp-af-ipv4]network 192.168.200.0 24
#因为R4与R5的默认路由会阻止bgp路由的学习,必须设置设置静态路由
[R4]ip route-static 89.0.0.2 32 75.0.0.1
[R5]ip route-static 75.0.0.2 32 89.0.0.1
效果:
[R5]display bgp peer
BGP local router ID : 5.5.5.5
Local AS number : 112
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pre
fRcv
75.0.0.2 4 111 8 7 0 00:04:35 Established
2
[R5]dis bgp routing-table
BGP Local router ID is 5.5.5.5
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 172.16.0.0/24 75.0.0.2 0 0 111i
*> 192.168.100.0 75.0.0.2 0 0 111i
*> 192.168.200.0 0.0.0.0 0 0 i
配置IPSecVpn
设置匹配规则
[R4]acl 3001
[R4-acl-adv-3001]rule 1 permit ip source 192.168.100.0 0.0.0.255 destination 192
.168.200.0 0.0.0.255
[R4-acl-adv-3001]rule 2 permit ip source 172.16.0.0 0.0.0.255 destination 192.16
8.200.0 0.0.0.255
-----
[R5]acl 3001
[R5-acl-adv-3001]rule 1 permit ip source 192.168.200.0 0.0.0.255 destination 19
2.168.100.0 0.0.0.255
[R5-acl-adv-3001]rule 2 permit ip source 192.168.200.0 0.0.0.255 destination 172
.16.0.0 0.0.0.255
#只有当总公司与分公司互相访问时才使用隧道协议
R4配置
[R4]ipsec proposal VPN
[R4-ipsec-proposal-VPN]esp authentication-algorithm sha1
[R4-ipsec-proposal-VPN]quit
[R4]ipsec policy P1 10 manual
[R4-ipsec-policy-manual-P1-10]security acl 3001
[R4-ipsec-policy-manual-P1-10]proposal VPN
[R4-ipsec-policy-manual-P1-10]tunnel remote 89.0.0.2
[R4-ipsec-policy-manual-P1-10]tunnel local 75.0.0.2
[R4-ipsec-policy-manual-P1-10]sa spi inbound esp 256
[R4-ipsec-policy-manual-P1-10]sa spi outbound esp 256
[R4-ipsec-policy-manual-P1-10]sa string-key inbound esp simple ocean
[R4-ipsec-policy-manual-P1-10]sa string-key outbound esp simple scitc
[R4-ipsec-policy-manual-P1-10]quit
[R4]int g0/0/2
[R4-GigabitEthernet0/0/2]ipsec policy P1
R5配置
[R5]ipsec proposal VPN
[R5-ipsec-proposal-VPN]esp authentication-algorithm sha1
[R5-ipsec-proposal-VPN]quit
[R5]ipsec policy P2 10 manual
[R5-ipsec-policy-manual-P2-10]security acl 3001
[R5-ipsec-policy-manual-P2-10]proposal VPN
[R5-ipsec-policy-manual-P2-10]tunnel remote 75.0.0.2
[R5-ipsec-policy-manual-P2-10]tunnel local 89.0.0.2
[R5-ipsec-policy-manual-P2-10]sa spi inbound esp 256
[R5-ipsec-policy-manual-P2-10]sa spi outbound esp 256
[R5-ipsec-policy-manual-P2-10]sa string-key inbound esp simple scitc
[R5-ipsec-policy-manual-P2-10]sa string-key outbound esp simple ocean
[R5-ipsec-policy-manual-P2-10]quit
[R5]int g0/0/0
[R5-GigabitEthernet0/0/0]ipsec policy P2
配置完成后R5使用192.168.100.254地址可以成功与172.16.0.10通信、使用了隧道协议并且中间路由器并不包含172.16.0.0/24网段的的地址
中间路由器没有172.16.0.0的路由表
配置NAT
R4配置
[R4]acl 3002
[R4-acl-adv-3002]rule 1 deny ip sou 192.168.100.0 0.0.0.255 destination 192.168.
200.0 0.0.0.255
[R4-acl-adv-3002]rule 2 deny ip source 172.16.0.0 0.0.0.255 destination 192.168.
200.0 0.0.0.255
[R4-acl-adv-3002]rule 3 permit ip source 192.168.100.0 0.0.0.255
[R4-acl-adv-3002]rule 4 permit ip source 172.16.0.0 0.0.0.255
[R4-acl-adv-3002]quit
[R4]int g0/0/2
[R4-GigabitEthernet0/0/2]nat outbound 3002
R5配置
[R5]acl 3002
[R5-acl-adv-3002]rule 1 deny ip source 192.168.200.0 0.0.0.255 destination 192.1
68.100.0 0.0.0.255
[R5-acl-adv-3002]rule 2 deny ip source 192.168.200.0 0.0.0.255 destination 172.1
6.0.0 0.0.0.255
[R5-acl-adv-3002]rule 3 permit ip source 192.168.200.0 0.0.0.255
[R5-acl-adv-3002]quit
[R5]int g0/0/0
[R5-GigabitEthernet0/0/0]nat outbound 3002
效果:
172.16.0.10可以ping通13.0.0.2,并且使用了转换协议,13.0.0.2不可以主动ping通172.16.0.10
测试
- 总公司与分公司采用bgp传输内网路由
- 总公司和分公司采用vpn连接,并可以互相通信
- 总公司与分公司可以主动访问ISP,但ISP不允许主动访问总公司与分公司