本实验需要结合RRI和keeplive来实现,主要是实现双线接入的情景
配置:
Client:
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.2
crypto isakmp key cisco address 61.128.128.3
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.100.1.2 主×××
set peer 61.128.128.3 备×××à一个×××两个PEER
set transform-set cisco
match address 100
!
!
!
!
!
interface Loopback0
ip address1.1.1.1 255.255.255.0
!
!
interface Serial1/2
ip address10.1.1.1 255.255.255.0
serial restart-delay 0
crypto map cisco
!
ip route0.0.0.0 0.0.0.0 10.1.1.5
access-list 100 permit ip host1.1.1.1 host 2.2.2.4
Active和standby配置是一样的
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set cisco
reverse-route tag 10
!
!
crypto map cisco 10 ipsec-isakmp dynamic dymap à静态的map来调用动态的map
!
!
!
!
!
interface FastEthernet0/0
ip address2.2.2.2 255.255.255.0
duplex full
!
!
interface Serial1/2
ip address 202.100.1.2 255.255.255.0
serial restart-delay 0
crypto map cisco
!
!
router ospf 1
log-adjacency-changes
redistribute static subnets route-map sto
network2.2.2.0 0.0.0.255 area 0
!
ip route0.0.0.0 0.0.0.0 202.100.1.5
!
route-map sto permit 10
match tag 10
!
internet
!
interface Serial1/0
ip address 202.100.1.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 61.128.128.5 255.255.255.0
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address10.1.1.5 255.255.255.0
serial restart-delay 0
!
inside
!
interface FastEthernet0/0
ip address2.2.2.4 255.255.255.0
duplex auto
speed auto
!
!
router ospf 1
log-adjacency-changes
network0.0.0.0 255.255.255.255 area 0
!
客户端ping
client#ping2.2.2.4 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to2.2.2.4, timeout is 2 seconds:
Packet sent with a source address of1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 436/568/668 ms
client#
看inside路由表
inside#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 2.2.2.2, 00:00:18, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0
inside#
sh中间的路由器internet的接口
internet(config)#interface serial 1/0
internet(config-if)#no sh
sh之前,之后inside的路由表
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 2.2.2.2, 00:01:32, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0
inside#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 2.2.2.3, 00:00:01, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0
inside#
转载于:https://blog.51cto.com/sngyqd/624857
扫一扫
602
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
