实验拓扑
实验要求
1.R2为ISP,其上只能配置IP地址
2.R1-R2之间采用HDLC封装
3.R2-R3之间采用PPP封装,pap认证,R2为主认证方
4.R2-R4之间采用PPP封装,chap认证,R2为主认证方
5.R1,R2,R3,R4构建MGRE环境,仅R1IP地址固定
6.内网使用RIP获取路由,所有PC之间可以互相访问,并且可以访问R2的环回
实验内容
首先 我们给每台路由器配置上地址
公网IP地址任意,我所使用的是12.1.1.0/24 ,23.1.1.0/24,24.1.1.0/24。
R1
[Huawei]sys
[Huawei]sys r1
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[r1]int s4/0/0
[r1-Serial4/0/0]ip add 12.1.1.1 24
R2
[r2]sys ISP
[ISP]int s4/0/0
[ISP-Serial4/0/0]ip add 12.1.1.2 24
[ISP]int s4/0/1
[ISP-Serial4/0/1]ip add 23.1.1.1 24
[ISP-Serial4/0/1]q
[ISP]int s3/0/0
[ISP-Serial3/0/0]ip add 24.1.1.1 24
[ISP-Serial3/0/0]q
[ISP]int lo0
[ISP-LoopBack0]ip add 2.2.2.2 24
R3
[Huawei]sys r3
[r3]int s4/0/0
[r3-Serial4/0/0]ip add 23.1.1.2 24
[r3-Serial4/0/0]
Jul 18 2022 15:29:19-08:00 r3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol PPP
IPCP on the interface Serial4/0/0 has entered the UP state.
[r3-Serial4/0/0]q
[r3]int g0/0/0
[r3-GigabitEthernet0/0/0]ip add 192.168.2.1 24
R4
[Huawei]sys r4
[r4]int s4/0/0
[r4-Serial4/0/0]ip add 24.1.1.2 24
[r4-Serial4/0/0]
Jul 18 2022 15:30:13-08:00 r4 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol PPP
IPCP on the interface Serial4/0/0 has entered the UP state.
[r4-Serial4/0/0]q
[r4]int g0/0/0
[r4-GigabitEthernet0/0/0]ip add 192.168.3.1 24
所有的PC都采用手工配置地址
修改R1-R2之间的封装
[r1-Serial4/0/0]link-protocol hd
[r1-Serial4/0/0]link-protocol hdlc
[r2]int s4/0/0
[r2-Serial4/0/0]link
[r2-Serial4/0/0]link-protocol hd
[r2-Serial4/0/0]link-protocol hdlc
然后配置R2与R3,R4之间的pap,chap认证
在R2上的配置
[ISP]aaa
[ISP-aaa]lo
[ISP-aaa]local-user huawei pa
[ISP-aaa]local-user huawei password ci
[ISP-aaa]local-user huawei password cipher huawei
Info: Add a new user.
[ISP-aaa]loc
[ISP-aaa]local-user huawei au
[ISP-aaa]local-user huawei ?
access-limit Set access limit of user(s)
ftp-directory Set user(s) FTP directory permitted
idle-timeout Set the timeout period for terminal user(s)
password Set password
privilege Set admin user(s) level
service-type Service types for authorized user(s)
state Activate/Block the user(s)
user-group User group
[ISP-aaa]local-user huawei ser
[ISP-aaa]local-user huawei service-type ?
8021x 802.1x user
bind Bind authentication user
ftp FTP user
http Http user
ppp PPP user
ssh SSH user
sslvpn Sslvpn user
telnet Telnet user
terminal Terminal user
web Web authentication user
x25-pad X25-pad user
[ISP-aaa]local-user huawei service-type ppp
[ISP-aaa]q
[ISP]int s4/0/1
[ISP-Serial4/0/1]ppp ai
[ISP-Serial4/0/1]ppp au
[ISP-Serial4/0/1]ppp authentication-mode pap
R3上
[r3]int s4/0/0
[r3-Serial4/0/0]ppp ?
authentication-mode Specify PPP authentication-mode
chap Specify CHAP parameters
ipcp Specify IPCP parameters
mp Multilink PPP
pap Specify PAP parameters
timer Specify timer
[r3-Serial4/0/0]ppp pap lo
[r3-Serial4/0/0]ppp pap local-user huawei pa
[r3-Serial4/0/0]ppp pap local-user huawei password c
[r3-Serial4/0/0]ppp pap local-user huawei password cipher huawei
pap认证就完成了
接着就是chap认证
R2上
[r2]aaa
[r2-aaa]loc
[r2-aaa]local-user a pa
[r2-aaa]local-user a password ci
[r2-aaa]local-user a password cipher 12345
Info: Add a new user.
[r2-aaa]loc
[r2-aaa]local-user a au
[r2-aaa]local-user a ser
[r2-aaa]local-user a service-type ?
8021x 802.1x user
bind Bind authentication user
ftp FTP user
http Http user
ppp PPP user
ssh SSH user
sslvpn Sslvpn user
telnet Telnet user
terminal Terminal user
web Web authentication user
x25-pad X25-pad user
[r2-aaa]local-user a service-type ppp
[r2-aaa]q
[r2]int s3/0/0
[r2-Serial3/0/0]ppp au
[r2-Serial3/0/0]ppp authentication-mode ?
chap Enable CHAP authentication
pap Enable PAP authentication
[r2-Serial3/0/0]ppp authentication-mode chap
R4上
r4]int s4/0/0
[r4-Serial4/0/0]ppp ?
authentication-mode Specify PPP authentication-mode
chap Specify CHAP parameters
ipcp Specify IPCP parameters
mp Multilink PPP
pap Specify PAP parameters
timer Specify timer
[r4-Serial4/0/0]ppp chap ?
password Specify user password
user Specify user name
[r4-Serial4/0/0]ppp chap us
[r4-Serial4/0/0]ppp chap user a
[r4-Serial4/0/0]ppp chap pa
[r4-Serial4/0/0]ppp chap password 12345
^
Error: Unrecognized command found at '^' position.
[r4-Serial4/0/0]ppp chap password ci
[r4-Serial4/0/0]ppp chap password cipher 12345
chap认证就完成了
如果你想验证的话,就可以将接口先shutdown,然后在undo shutdow,之后用抓包软件进行抓包,就能直观的看见了。
接着做中心到站点的MGRE
在中心R1上
[r1]int t0/0/0
[r1-Tunnel0/0/0]ip add 10.1.1.1 24
[r1-Tunnel0/0/0]tun
[r1-Tunnel0/0/0]tunnel-protocol ?
gre Generic Routing Encapsulation
ipsec IPSEC Encapsulation
ipv4-ipv6 IP over IPv6 encapsulation
ipv6-ipv4 IPv6 over IP encapsulation
mpls MPLS Encapsulation
none Null Encapsulation
[r1-Tunnel0/0/0]tunnel-protocol gre ?
p2mp Point to multi-point GRE mode
<cr> Please press ENTER to execute command
[r1-Tunnel0/0/0]tunnel-protocol gre p
[r1-Tunnel0/0/0]tunnel-protocol gre p2mp
[r1-Tunnel0/0/0]source 12.1.1.1
[r1-Tunnel0/0/0]nhrp en
[r1-Tunnel0/0/0]nhrp entry ?
IP_ADDR<X.X.X.X> IP address
holdtime NHRP entry holdtime
multicast IP multicast
[r1-Tunnel0/0/0]nhrp entry mu
[r1-Tunnel0/0/0]nhrp entry multicast ?
dynamic Allow NHRP to automatically add routers to the multicast NHRP
mappings
[r1-Tunnel0/0/0]nhrp entry multicast dy
[r1-Tunnel0/0/0]nhrp entry multicast dynamic
nhrp network-id 100
接着你可以用 display this 来查看当前的配置
[r1-Tunnel0/0/0]display this
[V200R003C00]
#
interface Tunnel0/0/0
ip address 10.1.1.1 255.255.255.0
tunnel-protocol gre p2mp
source 12.1.1.1
nhrp entry multicast dynamic
nhrp network-id 100
#
在R3上
[r3]int t0/0/0
[r3-Tunnel0/0/0]ip add 10.1.1.2 24
[r3-Tunnel0/0/0]tun
[r3-Tunnel0/0/0]tunnel-protocol gre p2
[r3-Tunnel0/0/0]tunnel-protocol gre p2mp
[r3-Tunnel0/0/0]sou
[r3-Tunnel0/0/0]source s4/0/0
Jul 18 2022 16:00:46-08:00 r3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface Tunnel0/0/0 has entered the UP state.
[r3-Tunnel0/0/0]
[r3-Tunnel0/0/0]nhrp en
[r3-Tunnel0/0/0]nhrp entry 10.1.1.1 12.1.1.1 re
[r3-Tunnel0/0/0]nhrp entry 10.1.1.1 12.1.1.1 register
[r3-Tunnel0/0/0]nhrp entry 10.1.1.1 12.1.1.1 register
[r3-Tunnel0/0/0]nhrp net
[r3-Tunnel0/0/0]nhrp network-id 100
R4上的配置与R3上的配置方法相同
然后就是写相关的路由了。
写R1,R3,R4指向公网的缺省路由了
[r1]ip route-s
[r1]ip route-static 0.0.0.0 0 12.1.1.2
[r3]ip route-s
[r3]ip route-static 0.0.0.0 0 23.1.1.1
[r4]ip route-s
[r4]ip route-static 0.0.0.0 0 24.1.1.1
由于是私网访问公网,所以这里我们需要进行地址转换,用nat实现
[r1]acl 2000
[r1-acl-basic-2000]rule 1 per
[r1-acl-basic-2000]rule 1 permit sour
[r1-acl-basic-2000]rule 1 permit source any
[r1-acl-basic-2000]q
[r1]int
[r1]interface s4/0/0
[r1-Serial4/0/0]nat ou
[r1-Serial4/0/0]nat outbound 2000
在R3上
[r3]acl 2000
[r3-acl-basic-2000]rule 1 per
[r3-acl-basic-2000]rule 1 permit sour
[r3-acl-basic-2000]rule 1 permit source any
[r3-acl-basic-2000]q
[r3]int s4/0/0
[r3-Serial4/0/0]nat out
[r3-Serial4/0/0]nat outbound 2000
R4上同理
用PC来ping R2的环回
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time=46 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=31 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=31 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/28/46 ms
可以发现,pc都可以访问到R2的环回上去
然后用RIP来跑通私网
在R1上
[r1]rip 1
[r1-rip-1]vers
[r1-rip-1]version 2
[r1-rip-1]net
[r1-rip-1]network 192.168.1.0
[r1-rip-1]net
[r1-rip-1]network 10.0.0.0
在R3上
[r3]rip 1
[r3-rip-1]ver 2
[r3-rip-1]net
[r3-rip-1]network 192.168.2.0
[r3-rip-1]net
[r3-rip-1]network 23.0.0.0
[r3-rip-1]
[r3-rip-1]dis
[r3-rip-1]display this
[V200R003C00]
#
[r3]rip 1
[r3]version 2
[r3-rip-1network 192.168.2.0
[r3-rip-1]net
[r3-rip-1]network 10.0.0.0
在R4上
[r4]rip 1
[r4-rip-1]ver 2
[r4-rip-1]net
[r4-rip-1]network 192.168.3.0
[r4-rip-1]net
[r4-rip-1]network 10.0.0.0
这样进行宣告,基本就属于是跑通了(rip宣告为主类宣告)
接着我们可以测试
用PC1来pingPC2
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.2: bytes=32 seq=2 ttl=126 time=32 ms
From 192.168.2.2: bytes=32 seq=3 ttl=126 time=31 ms
From 192.168.2.2: bytes=32 seq=4 ttl=126 time=15 ms
From 192.168.2.2: bytes=32 seq=5 ttl=126 time=32 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/27/32 ms
发现是可以通的
我们用PC2来ping PC3,结果发现是不通的。
查看R3的路由表,查看由RIP来获取到的路由。
[r3]display ip routing-table protocol rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 1 Routes : 1
RIP routing table status : <Active>
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.1.0/24 RIP 100 1 D 10.1.1.1 Tunnel0/0/0
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
所以不难想到,这里用的协议为RIP协议,会有水平分割机制。
所以我们要在中心站点R1上的Tunnel接口关闭水平分割
[r1]int t0/0/0
[r1-Tunnel0/0/0]undo rip sp
[r1-Tunnel0/0/0]undo rip split-horizon
然后用PC2 ping PC3
PC>ping 192.168.3.2
Ping 192.168.3.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.3.2: bytes=32 seq=2 ttl=125 time=32 ms
From 192.168.3.2: bytes=32 seq=3 ttl=125 time=31 ms
From 192.168.3.2: bytes=32 seq=4 ttl=125 time=32 ms
From 192.168.3.2: bytes=32 seq=5 ttl=125 time=31 ms
--- 192.168.3.2 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/31/32 ms