实验目的
熟悉利用PBR 和TUNNEL 实现流量出方向的VXN 网关冗余和入方向VXN网关冗余。
熟练的掌握配置命令行和校验方式。
实验拓扑
接口ip配置
R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#interface loopback 1
R1(config-if)#ip address 10.11.11.11 255.255.255.0
R1(config)#interface e0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R2(config)#interface e0/1
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#interface e0/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R3(config)#interface e0/0
R3(config-if)#ip address 192.168.1.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface e0/1
R3(config-if)#ip address 35.35.35.3 255.255.255.0
R3(config-if)#no shutdown
R4(config)#interface e0/0
R4(config-if)#ip address 192.168.1.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#no shutdown
R4(config-if)#interface e1/0
R4(config-if)#ip address 45.45.45.4 255.255.255.0
R4(config-if)#no shutdown
R5(config)#interface e0/1
R5(config-if)#ip address 35.35.35.5 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#interface e0/0
R5(config-if)#ip address 56.56.56.5 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#interface e1/0
R5(config-if)#ip address 45.45.45.5 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#interface e1/1
R5(config-if)#ip address 57.57.57.5 255.255.255.0
R5(config-if)#no shutdown
R6(config)#interface e0/0
R6(config-if)#ip address 56.56.56.6 255.255.255.0
R6(config-if)#no shutdown
R6(config-if)#interface e0/1
R6(config-if)#ip address 192.168.2.6 255.255.255.0
R6(config-if)#no shutdown
R7(config)#interface e1/1
R7(config-if)#ip address 57.57.57.7 255.255.255.0
R7(config-if)#no shutdown
R7(config-if)#interface e0/1
R7(config-if)#ip address 192.168.2.7 255.255.255.0
R7(config-if)#no shutdown
R8(config)#interface e0/1
R8(config-if)#ip address 192.168.2.8 255.255.255.0
R8(config-if)#no shutdown
R8(config)#interface loopback 0
R8(config-if)#ip address 10.8.8.8 255.255.255.0
完成路由协议基础配置
R1(config)#router ospf 2
R1(config-router)#network 10.1.1.1 0.0.0.0 area 0
R1(config-router)#network 10.11.11.11 0.0.0.0 area 0
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R2(config)#router ospf 2
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0
R2(config-router)#network 192.168.1.0 0.0.0.255 area 0
R3(config)#router ospf 2
R3(config-router)#network 192.168.1.0 0.0.0.255 area 0
R3(config-router)#router ospf 1
R3(config-router)#network 35.35.35.0 0.0.0.255 area 0
R4(config)#router ospf 2
R4(config-router)#network 192.168.1.0 0.0.0.255 area 0
R4(config-router)#router ospf 1
R4(config-router)#network 45.45.45.0 0.0.0.255 area 0
R5(config)#router ospf 1
R5(config-router)#network 35.35.35.0 0.0.0.255 area 0
R5(config-router)#network 56.56.56.0 0.0.0.255 area 0
R5(config-router)#network 45.45.45.0 0.0.0.255 area 0
R5(config-router)#network 57.57.57.0 0.0.0.255 area 0
R6(config)#router ospf 1
R6(config-router)#network 56.56.56.0 0.0.0.255 area 0
R6(config-router)#router ospf 2
R6(config-router)#network 192.168.2.0 0.0.0.255 area 0
R7(config)#router ospf 1
R7(config-router)#network 57.57.57.0 0.0.0.255 area 0
R7(config-router)#router ospf 2
R7(config-router)#network 192.168.2.0 0.0.0.255 area 0
R8(config)#router ospf 2
R8(config-router)#network 10.8.8.8 0.0.0.0 area 0
R8(config-router)#network 192.168.2.0 0.0.0.255 area 0
查看ospf邻接关系建立情况
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.1.3 1 FULL/BDR 00:00:33 192.168.1.3 Ethernet0/0
192.168.1.4 1 FULL/DROTHER 00:00:34 192.168.1.4 Ethernet0/0
10.11.11.11 1 FULL/BDR 00:00:35 192.168.12.1 Ethernet0/1
R5#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.2.7 1 FULL/BDR 00:00:38 57.57.57.7 Ethernet1/1
45.45.45.4 1 FULL/BDR 00:00:32 45.45.45.4 Ethernet1/0
192.168.2.6 1 FULL/DR 00:00:37 56.56.56.6 Ethernet0/0
35.35.35.3 1 FULL/BDR 00:00:35 35.35.35.3 Ethernet0/1
R8#show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
56.56.56.6 1 FULL/DR 00:00:37 192.168.2.6 Ethernet0/1
57.57.57.7 1 FULL/BDR 00:00:34 192.168.2.7 Ethernet0/1
R3 R4 R6 R7 创建TUNNEL 宣告进OSPF ,帮助R1 R8 交换路由信息。
R3(config)#interface tunnel 36
R3(config-if)#ip address 172.16.36.3 255.255.255.0
R3(config-if)#tunnel source e0/1
R3(config-if)#tunnel destination 56.56.56.6
R3(config-if)#tunnel mode gre ip
R3(config-if)#ip ospf 2 area 0
R3(config-if)#interface tunnel 37
RR3(config-if)#ip address 172.16.37.3 255.255.255.0
R3(config-if)#tunnel source e0/1
R3(config-if)#tunnel destination 57.57.57.7
R3(config-if)#tunnel mode gre ip
R3(config-if)#ip ospf 2 area 0
R3(config-if)#ip ospf cost 20000
R4(config)#interface tunnel 47
R4(config-if)#ip address 172.16.47.4 255.255.255.0
R4(config-if)#tunnel source e1/0
R4(config-if)#tunnel destination 57.57.57.7
R4(config-if)#tunnel mode gre ip
R4(config-if)#ip ospf 2 area 0
R4(config-if)#interface tunnel 46
R4(config-if)#ip add 172.16.46.4 255.255.255.0
R4(config-if)#tunnel source e1/0
R4(config-if)#tunnel destination 56.56.56.6
R4(config-if)#tunnel mode gre ip
R4(config-if)#ip ospf 2 area 0
R4(config-if)#ip ospf cost 20000
R6(config)#interface tunnel 36
R6(config-if)#ip address 172.16.36.6 255.255.255.0
R6(config-if)#tunnel source e0/0
R6(config-if)#tunnel destination 35.35.35.3
R6(config-if)#tunnel mode gre ip
R6(config-if)#ip ospf 2 area 0
R6(config-if)#interface tunnel 46
R6(config-if)#ip address 172.16.46.6 255.255.255.0
R6(config-if)#tunnel source e0/0
R6(config-if)#tunnel destination 45.45.45.4
R6(config-if)#tunnel mode gre ip
R6(config-if)#ip ospf 2 area 0
R7(config)#interface tunnel 37
R7(config-if)#ip address 172.16.37.7 255.255.255.0
R7(config-if)#tunnel source e1/1
R7(config-if)#tunnel destination 35.35.35.3
R7(config-if)#tunnel mode gre ip
R7(config-if)#ip ospf 2 area 0
R7(config-if)#tunnel source e1/1
R7(config-if)#interface tunnel 47
R7(config-if)#ip address 172.16.47.7 255.255.255.0
R7(config-if)#tunnel source e1/1
R7(config-if)#tunnel destination 45.45.45.4
R7(config-if)#tunnel mode gre ip
R7(config-if)#ip ospf 2 area 0
如上配置完成后,确认R3 抵达10.8.8.0 优选R6,确认R4 抵达10.8.8.0 优选R7,同时保证R1 和R8 可以正常通讯。
R1#ping 10.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R3#traceroute 10.8.8.8
Type escape sequence to abort.
Tracing the route to 10.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.36.6 5 msec 1 msec 0 msec
2 192.168.2.8 1 msec 2 msec
R4#traceroute 10.8.8.8
Type escape sequence to abort.
Tracing the route to 10.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.47.7 1 msec 1 msec 0 msec
2 192.168.2.8 1 msec 1 msec *
R2 上配置PBR,源于10.1.1.0的去向 10.8.8.0 优选R3,源于10.11.11.0 去向10.8.8.0 优选R4。
R3(config)#ip sla responder //让R3 响应SLA请求
R4(config)#ip sla responder
R2(config)#ip sla 1
R2(config-ip-sla)#icmp-echo 192.168.1.3 source-ip 192.168.1.2
//定义SLA 1 ,SLA 以192.168.1.2 为源10S为周期PING 192.168.1.3
R2(config-ip-sla-echo)#frequency 10
R2(config)#ip sla schedule 1 life forever start-time now
//定义SLA 1的存活时间为永久,生效时间为立刻。
R2(config)#ip sla 2
R2(config-ip-sla)#icmp-echo 192.168.1.4 source-ip 192.168.1.2
R2(config-ip-sla-echo)#frequency 10
R2(config-ip-sla-echo)#ip sla schedule 2 life forever start-time now
R2(config)#track 1 ip sla 1 reachability
//定义对象跟踪1,跟踪SLA 1 的有效性。
R2(config)#track 2 ip sla 2 reachability
R2(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.8.8.0 0.0.0.255
R2(config)#access-list 101 permit ip 10.11.11.0 0.0.0.255 10.8.8.0 0.0.0.255
R2(config)#route-map pbr
R2(config-route-map)#match ip address 100
R2(config-route-map)#set ip next-hop verify-availability 192.168.1.3 10 track 1
//设置第一个下一跳,第一个下一跳想生效对象跟踪1必须有效,否则切换到第二个下一跳
R2(config-route-map)#set ip next-hop verify-availability 192.168.1.4 11 track 1
R2(config)#route-map pbr 20
R2(config-route-map)#match ip address 101
R2(config-route-map)#set ip next-hop verify-availability 192.168.1.4 10 track 2
R2(config-route-map)#set ip next-hop verify-availability 192.168.1.3 11 track 1
R2(config)#interface e0/1
R2(config-if)#ip policy route-map pbr
确认结果
R1#traceroute 10.8.8.8 source 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 2 msec 1 msec 5 msec
2 192.168.1.3 0 msec 1 msec 1 msec
3 172.16.36.6 1 msec 2 msec 1 msec
4 192.168.2.8 1 msec 3 msec *
R1#traceroute 10.8.8.8 source 10.11.11.11
Type escape sequence to abort.
Tracing the route to 10.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 0 msec 0 msec 6 msec
2 192.168.1.4 1 msec 1 msec 2 msec
3 172.16.47.7 1 msec 4 msec 1 msec
4 192.168.2.8 4 msec 2 msec *
R3 R4 R6 R7的VPN 配置。
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share
R3(config)#crypto isakmp key cisco address 172.16.36.6
R3(config)#crypto isakmp key cisco address 172.16.37.7
R3(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.8.8.0 0.0.0.255
R3(config)#access-list 100 permit ip 10.11.11.0 0.0.0.255 10.8.8.0 0.0.0.255
R3(config)#crypto ipsec transform-set r3-tr esp-des esp-md5-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(config)#crypto map r36 1 ipsec-isakmp
R3(config-crypto-map)#set peer 172.16.36.6
R3(config-crypto-map)#set transform-set r3-tr
R3(config-crypto-map)#match address 100
R3(config)#crypto map r37 1 ipsec-isakmp
R3(config-crypto-map)#set peer 172.16.37.7
R3(config-crypto-map)#set transform-set r3-tr
R3(config-crypto-map)#match address 100
R3(config)#interface tunnel 36
R3(config-if)#crypto map r36
R3(config-if)#interface tunnel 37
R3(config-if)#crypto map r37
R4(config)#crypto isakmp enable
R4(config)#crypto isakmp policy 1
R4(config-isakmp)#authentication pre-share
R4(config)#crypto isakmp key cisco address 172.16.46.6
R4(config)#crypto isakmp key cisco address 172.16.47.7
R4(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.8.8.0 0.0.0.255
R4(config)#access-list 100 permit ip 10.11.11.0 0.0.0.255 10.8.8.0 0.0.0.255
R4(config)#crypto ipsec transform-set r4-tr esp-des esp-md5-hmac
R4(cfg-crypto-trans)#mode tunnel
R4(config)#crypto map r46 1 ipsec-isakmp
R4(config-crypto-map)#set peer 172.16.6
R4(config-crypto-map)#set transform-set r4-tr
R4(config-crypto-map)#match address 100
R4(config)#crypto map r47 1 ipsec-isakmp
R4(config-crypto-map)#set peer 172.16.47.7
R4(config-crypto-map)#match address 100
R4(config)#interface tunnel 46
R4(config-if)#crypto map r46
R4(config-if)#interface tunnel 47
R4(config-if)#crypto map r47
R6(config)#crypto isakmp policy 1
R6(config-isakmp)#authentication pre-share
R6(config)#crypto isakmp key cisco address 172.16.36.3
R6(config)#crypto isakmp key cisco address 172.16.46.4
R6(config)#access-list 100 permit ip 10.8.8.0 0.0.0.255 any
R6(config)#crypto ipsec transform-set r6-tr esp-des esp-md5-hmac
R6(cfg-crypto-trans)#mode tunnel
R6(config)#crypto map r36 1 ipsec-isakmp
R6(config-crypto-map)#set peer 172.16.3
R6(config-crypto-map)#set transform-set r6-tr
R6(config-crypto-map)#match address 100
R6(config-crypto-map)#crypto map r46 1 ipsec-isakmp
R6(config-crypto-map)#set peer 172.16.46.4
R6(config-crypto-map)#set transform-set r6-tr
R6(config-crypto-map)#match address 100
R6(config)#interface tunnel 36
R6(config-if)#crypto map r36
R6(config-if)#interface tunnel 46
R6(config-if)#crypto map r46
R7(config)#crypto isakmp enable
R7(config)#crypto isakmp policy 1
R7(config-isakmp)#authentication pre-share
R7(config)#crypto isakmp key cisco address 172.16.37.3
R7(config)#crypto isakmp key cisco address 172.16.47.4
R7(config)#access-list 100 permit ip 10.8.8.0 0.0.0.255 a
R7(config)#access-list 100 permit ip 10.8.8.0 0.0.0.255 any
R7(config)#crypto ipsec transform-set r7-tr esp-des esp-md5-hmac
R7(cfg-crypto-trans)#mode tunnel
R7(config)#crypto map r37 1 ipsec-isakmp
R7(config-crypto-map)#set peer 172.16.37.3
R7(config-crypto-map)#set transform-set r7-tr
R7(config-crypto-map)#match address 100
R7(config-crypto-map)#crypto map r47 1 ipsec-isakmp
R7(config-crypto-map)#set peer 172.16.47.4
R7(config-crypto-map)#set transform-set r7-tr
R7(config-crypto-map)#match address 100
R7(config)#interface tunnel 37
R7(config-if)#crypto map r37
R7(config-if)#interface tunnel 47
R7(config-if)#crypto map r47
检测 网络联通性
R1#traceroute 10.8.8.8 source 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 1 msec 1 msec 1 msec
2 192.168.1.3 1 msec 1 msec 0 msec
3 172.16.36.6 1 msec 3 msec 2 msec
4 192.168.2.8 3 msec 2 msec *
R1#traceroute 10.8.8.8 source 10.11.11.11
Type escape sequence to abort.
Tracing the route to 10.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.12.2 1 msec 1 msec 1 msec
2 192.168.1.4 1 msec 2 msec 1 msec
3 *
172.16.47.7 3 msec 3 msec
4 192.168.2.8 3 msec 3 msec *