网络安全架构与部署-高级路由-策略-2——20210926

1/问答题

Route-map在策略路由中的应用

实验作业：

按要求在GNS上部署实验环境如图：

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-JNJAOZRG-1632585800221)(/Users/aron/Desktop/highroute2.png)]

1、R1、R2模拟内网主机，与R3运行OSPF协议，实现内网联通；

配置IP地址，是互相连通；
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#end

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int f1/0
R2(config-if)#ip add 192.168.2.1 255.255.255.0
R2(config-if)#no sh

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int f0/0       
R3(config-if)#ip add 192.168.1.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f2/0
R3(config-if)#ip add 192.168.2.3 255.255.255.0
R3(config-if)#no sh
R3(config)#int f2/0
R3(config-if)#ip add 100.1.35.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f3/0
R3(config-if)#ip add 100.1.34.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#end

验证R3
R3#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.3     YES manual up                    up      
FastEthernet1/0            192.168.2.3     YES manual up                    up      
FastEthernet2/0            100.1.34.3      YES manual up                    up      
FastEthernet3/0            100.1.35.3      YES manual up                    up  


R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int f3/0
R4(config-if)#ip add 100.1.34.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#int lo1
R4(config-if)#ip add  4.4.4.4 255.255.255.255
R4(config-if)#end

验证R4
R4#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down    
FastEthernet1/0            unassigned      YES unset  administratively down down    
FastEthernet2/0            unassigned      YES unset  administratively down down    
FastEthernet3/0            100.1.34.4      YES manual up                    up      
Loopback1                  4.4.4.4         YES manual up                    up      
R4#

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int f2/0
R5(config-if)#no sh
R5(config-if)#ip add 100.1.35.5 255.255.255.0
R5(config-if)#int lo1
R5(config-if)#ip add 5.5.5.5 255.255.255.255
R5(config-if)#end

验证R5:
R5#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down    
FastEthernet1/0            unassigned      YES unset  administratively down down    
FastEthernet2/0            100.1.35.5      YES manual up                    up      
FastEthernet3/0            unassigned      YES unset  administratively down down    
Loopback1                  5.5.5.5         YES manual up                    up      
R5#

测试连通性：

R5#ping 100.1.35.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.35.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 96/124/160 ms
R5#

R4#ping 100.1.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.34.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 128/135/144 ms
R4#

R1、R2模拟内网主机，与R3运行OSPF协议，实现内网联通

R1#conf t     
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router ospf 100
R1(config-router)#router-id
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#end


R2(config-if)#router ospf 100
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 192.168.2.0 0.0.0.255 area 0
R2(config-router)#end


R3(config-if)#
R3(config-if)#router ospf 100
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 192.168.1.0 0.0.0.255 area 0
R3(config-router)#network 192.168.2.0 0.0.0.255 area 0
R3(config-router)#end


R1#show ip route ospf
O    192.168.2.0/24 [110/2] via 192.168.1.3, 00:22:49, FastEthernet0/0
R1#

R2#show ip route ospf
O    192.168.1.0/24 [110/2] via 192.168.2.3, 00:22:44, FastEthernet1/0
R2#

2、R3下发OSPF默认路由，使得R1、R2能够访问互联网；

R3下发OSPF默认路由，使得R1、R2能够访问互联网

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router ospf 100
R3(config-router)#default-information originate always 
R3(config-router)#  

3、R3上部署策略路由PBR技术，使得R1访问互联网走R4方向，使得R2访问互联网走R5方向；

R3上部署策略路由PBR技术，使得R1访问互联网走R4方向，使得R2访问互联网走R5方向
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#access-list 1 permit 192.168.1.0 0.0.0.255
R3(config)#access-list 2 permit 192.168.2.0 0.0.0.255

R3(config)#route-map r4 permit 10
R3(config-route-map)#match ip address 1
R3(config-route-map)#set ip next-hop 100.1.34.4 


R3(config-route-map)#route-map r5 permit 10
R3(config-route-map)#match ip address 2
R3(config-route-map)#set ip next-hop 100.1.35.5

R3(config-if)#int f0/0 
R3(config-if)#ip policy route-map r4


R3(config-if)#int f1/0
R3(config-if)#ip policy route-map r5

R3(config-if)#end

验证：
R3#show ip access-lists 
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (67 matches)
Standard IP access list 2
    10 permit 192.168.2.0, wildcard bits 0.0.0.255 (48 matches)


R3#show route-map 
route-map r4, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1 
  Set clauses:
    ip next-hop 100.1.34.4
  Policy routing matches: 23 packets, 2460 bytes
route-map r5, permit, sequence 10
  Match clauses:
    ip address (access-lists): 2 
  Set clauses:
    ip next-hop 100.1.35.5
  Policy routing matches: 5 packets, 570 bytes
  

R3#show ip policy
Interface      Route map
Fa0/0          r4
Fa1/0          r5

R3#
*Mar  1 01:51:36.495: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:36.495: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
*Mar  1 01:51:36.815: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:36.815: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
*Mar  1 01:51:36.979: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:36.979: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
R3#
*Mar  1 01:51:37.203: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:37.203: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
*Mar  1 01:51:37.431: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:37.431: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
R3#



R1上ping 验证等：
R1#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/188/240 ms
R1#
*Mar  1 01:39:20.587: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:20.763: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:20.963: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:21.163: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:21.295: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1


R1#traceroute  4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 192.168.1.3 72 msec 68 msec 156 msec
  2 100.1.34.4 104 msec 216 msec 196 msec
R1#
*Mar  1 01:41:10.779: ICMP: time exceeded rcvd from 192.168.1.3
*Mar  1 01:41:10.847: ICMP: time exceeded rcvd from 192.168.1.3
*Mar  1 01:41:11.007: ICMP: time exceeded rcvd from 192.168.1.3
*Mar  1 01:41:11.115: ICMP: dst (192.168.1.1) port unreachable rcv from 100.1.34.4
*Mar  1 01:41:11.335: ICMP: dst (192.168.1.1) port unreachable rcv from 100.1.34.4
*Mar  1 01:41:11.535: ICMP: dst (192.168.1.1) port unreachable rcv from 100.1.34.4

r2验证：
R2#debug ip icmp
ICMP packet debugging is on
R2#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/272/388 ms
R2#
*Mar  1 01:40:15.199: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
*Mar  1 01:40:15.515: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
*Mar  1 01:40:15.615: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
*Mar  1 01:40:16.007: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
R2#
*Ma

4、此处R3上不要求部署NAT技术，要求R4和R5部署静态路由，实现内网流量返回。

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#ip route 0.0.0.0 0.0.0.0 100.1.34.3
R4(config)#

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#
R5(config)#ip route 0.0.0.0 0.0.0.0 100.1.35.3
R5(config)#

---------

【作业要求】
1、用GNS3搭建拓扑，并根据要求完成项目；
2、将整个GNS3项目文件打包为压缩包，并以附件上传，压缩包的名称规范为“姓名-Route-map-2”。

***编写实验报告，将整个作业过程中的涉及的步骤、效果、思路等整理为Word或PDF或PPT文档并上传，文档名称为"姓名-作业名称"。