GRE-VPN实验
拓扑图
- 当我们源IP地址为私网地址发送的数据包到达运营商的网络设备时会直接丢弃这个数据包,因此想要局域网接入互联网必须使用NAT技术(Network Address Translation网络地址转换),将局域网的地址映射到运营商分配给用户的IP地址对外界进行通信
- 因此在对端运营商看到的就是公网的IP地址,数据才会被进行正确的转发.这个技术用于解决ipv4地址日渐枯竭的问题,但是也有一个缺陷.为了上网将用户的源IP地址(局域网地址)修改成了公网地址,公网设备和其它局域网的设备就无法直接访问另一个局域网设备
1.因此为了能将两个不同的局域网"连接"在一起实现互访,VPN技术孕育而生.
2.VPN(Virtual Private Network),中文名称虚拟私有网络.这项技术在两端通过加密,在公网当中建立起一条"逻辑"上的隧道将两个局域网连接在一起.
借此实现两个局域网进行互访.
3.GRE(Generic Routing Encapsulation,通用路由封装).将私网发送给另外一个局域网的数据包内再封装一个(Generic Routing Encapsulation IP)数据包,这个数据包的目标地址是另外一个局域网的终端设备的IP.
- 当数据包进入到了公网因为源IP地址是公网地址.因此运营商设备不会丢弃这个数据包而是将其进行转发到目的网络,在经过多个网关后到达目的网络.然后对这个数据包进行解封装,解封装完成后看到了GRE的报文,这个报文内包含有局域网的源地址和目标地址,这样就完成了一个局域网对另一个局域网的互访
配置思路
AR1、AR2: 模拟公司总部和分部网关
🧀配置nat和默认路由对公网设备的访问
🍗配置Tunnel1(GRE-VPN)接口,并配置去往对端公司网络的IP地址的明细路由
🍕通过Tunnel接口建立OSPF邻居将两个局域网的路由通告给OSPF
- AR3、AR4模拟运营商网络设备:
- 运行ISIS达到全网互通
总部网络配置:
R1:
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.12.1 YES manual up up
FastEthernet0/1 192.168.1.254 YES manual up up
Loopback0 1.1.1.1 YES manual up up
配置nat
R1(config)#ip route 0.0.0.0 0.0.0.0 10.0.12.2
# 写一条通往GRE出接口的明细路由,
# 如果不写这条明细路由而是写通往分公司内网的路由会产生路由递归,Tunnel接口会震荡
R1(config)#ip route 10.0.34.0 255.255.255.0 FastEthernet0/0 10.0.12.2
# 配置nat
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)#ip nat inside source list 1 interface FastEthernet0/0 overload
# 接口下调用
R1(config)#interface f0/1
R1(config-if)#ip nat inside
R1(config)#interface f0/0
R1(config-if)#ip nat outside
运营商网络配置:
运营商网络采用ISIS协议互联互通
AR2:
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.12.2 YES manual up up
FastEthernet0/1 10.0.23.2 YES manual up up
Loopback0 2.2.2.2 YES manual up up
R2#show running-config | section isis
ip router isis 1 // f0/0接口启用ISIS
ip router isis 1 // f0/1接口启用ISIS
ip router isis 1 // Loopback0 接口启动ISIS
router isis 1
net 47.0000.0000.0000.0001.00
is-type level-2-only
AR3:
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 10.0.23.3 YES manual up up
FastEthernet1/0 10.0.34.3 YES manual up up
Loopback0 3.3.3.3 YES manual up up
R3#show running-config | section isis
ip router isis 1 // 三个接口调用ISIS
ip router isis 1
ip router isis 1
router isis 1
net 47.0000.0000.0000.0002.00
is-type level-2-only
分部网络配置:
R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.34.4 YES manual up up
FastEthernet0/1 192.168.2.254 YES manual up up
Loopback0 4.4.4.4 YES manual up up
配置nat
R4(config)#ip route 0.0.0.0 0.0.0.0 10.0.34.3
R4(config)#ip route 10.0.12.0 255.255.255.0 FastEthernet0/0 10.0.34.3
R4(config)#access-list 1 permit 192.168.2.0 0.0.0.255
R4(config)#ip nat inside source list 1 interface FastEthernet0/0 overload
R4(config)#int f0/0
R4(config-if)ip nat outside
R4(config)#int f0/1
R4(config-if)ip nat inside
配置GRE
AR1:
R1#show running-config | section Tunnel1
interface Tunnel1
ip address 172.26.1.1 255.255.255.0
keepalive 10 3
tunnel source 10.0.12.1
tunnel destination 10.0.34.4
R1#show running-config | section ospf
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.12.0 0.0.0.255 area 0
network 172.26.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
AR4:
R4#show running-config | section Tunnel1
interface Tunnel1
ip address 172.26.1.2 255.255.255.0
keepalive 10 3
tunnel source 10.0.34.4
tunnel destination 10.0.12.1
R4#show running-config | section ospf
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 10.0.34.0 0.0.0.255 area 0
network 172.26.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
验证:
AR1:
总公司边界网关验证连通性,OSPF邻居关系是否正常,是否有去往分公司的路
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - 00:00:39 172.26.1.2 Tunnel1
R1#show ip route ospf
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/11112] via 172.26.1.2, 00:05:21, Tunnel1
O 192.168.2.0/24 [110/11112] via 172.26.1.2, 00:05:21, Tunnel1
R1#ping 192.168.2.254 source 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 264/332/392 ms
AR4:
R4#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ - 00:00:33 172.26.1.1 Tunnel1
R4#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 172.26.1.1, 00:04:00, Tunnel1
O 192.168.1.0/24 [110/11112] via 172.26.1.1, 00:04:00, Tunnel1
R4#ping 192.168.1.254 source 192.168.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/228/268 ms