L2L ×××实现 hub-spoken 互联方式

作者:Cedric CCIE#25467

 

 

 

网络拓扑结构如上

 

今天我们讲述如何实现HUB-SPOKEN结构的L2L访问

R1为HUB端 R2,R3为SPOKEN端。

R1#sh run 

Building configuration...

 

Current configuration : 1481 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!         

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 123 address 20.1.1.1

crypto isakmp key 123 address 30.1.1.1

!         

!

crypto ipsec transform-set 321 esp-des esp-md5-hmac 

!

crypto dynamic-map dymap 10

 set peer 20.1.1.1

 set peer 30.1.1.1

 set transform-set 321 

!

!

crypto map cisco 10 ipsec-isakmp dynamic dymap 

!

!

!

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 no switchport

 ip address 10.1.1.1 255.255.255.0

 crypto map cisco

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!         

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface Vlan1

 no ip address

!

ip http server

no ip http secure-server

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

!

!

!

!

control-plane

!

!

!         

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

 login

!

!

end

 

R1# 

 

 

 

 

 

 

 

R1#

R1#

R1#sh cry en conn a

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 FastEthernet0/0      10.1.1.1        set    HMAC_SHA+DES_56_CB        0        0

   2 FastEthernet0/0      10.1.1.1        set    HMAC_SHA+DES_56_CB        0        0

2001 FastEthernet0/0      10.1.1.1        set    DES+MD5                   0        5

2002 FastEthernet0/0      10.1.1.1        set    DES+MD5                   5        0

2003 FastEthernet0/0      10.1.1.1        set    DES+MD5                   0        5

2004 FastEthernet0/0      10.1.1.1        set    DES+MD5                   5        0

 

 

R2>en

R2#sh run 

Building configuration...

 

Current configuration : 1463 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!         

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 123 address 10.1.1.1

!

!         

crypto ipsec transform-set 321 esp-des esp-md5-hmac 

!

crypto map cisco 10 ipsec-isakmp 

 set peer 10.1.1.1

 set transform-set 321 

 match address ***

!

!

!

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

interface FastEthernet0/0

 no switchport

 ip address 20.1.1.1 255.255.255.0

 crypto map cisco

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!         

interface FastEthernet0/15

!

interface Vlan1

 no ip address

!

ip http server

no ip http secure-server

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

!

!

ip access-list extended ***

 permit ip host 2.2.2.2 host 1.1.1.1

!

!

!

control-plane

!

!

!

!         

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

 login

!

!

end

 

R2# 

R2#

R2#

R2#

R2#

R2#

R2#

R2#

R2#sh cry is sa

dst             src             state          conn-id slot status

10.1.1.1        20.1.1.1        QM_IDLE              1    0 ACTIVE

 

R2#

R2#sh cry ip sa

 

interface: FastEthernet0/0

    Crypto map tag: cisco, local addr 20.1.1.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

   current_peer 10.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 5, #recv errors 0

 

     local crypto endpt.: 20.1.1.1, remote crypto endpt.: 10.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xE21AADC8(3793399240)

 

     inbound esp sas:

      spi: 0xDC63BE9D(3697524381)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: cisco

        sa timing: remaining key lifetime (k/sec): (4518374/2756)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xE21AADC8(3793399240)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: cisco

        sa timing: remaining key lifetime (k/sec): (4518374/2756)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

R2#   

R2#

R2#

R2#

R2#sh cry en conn a

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 FastEthernet0/0      20.1.1.1        set    HMAC_SHA+DES_56_CB        0        0

2001 FastEthernet0/0      20.1.1.1        set    DES+MD5                   0        5

2002 FastEthernet0/0      20.1.1.1        set    DES+MD5                   5        0

 

          

R3#sh run 

Building configuration...

 

Current configuration : 1463 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!         

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 123 address 10.1.1.1

!

!         

crypto ipsec transform-set 321 esp-des esp-md5-hmac 

!

crypto map cisco 10 ipsec-isakmp 

 set peer 10.1.1.1

 set transform-set 321 

 match address ***

!

!

!

!

interface Loopback0

 ip address 3.3.3.3 255.255.255.0

!

interface FastEthernet0/0

 no switchport

 ip address 30.1.1.1 255.255.255.0

 crypto map cisco

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!         

interface FastEthernet0/15

!

interface Vlan1

 no ip address

!

ip http server

no ip http secure-server

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

!

!

ip access-list extended ***

 permit ip host 3.3.3.3 host 1.1.1.1

!

!

!

control-plane

!

!

!

!         

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

 login

!

!

end

 

R3#  

R3#

R3#

R3#

R3#sh cry is sa 

dst             src             state          conn-id slot status

10.1.1.1        30.1.1.1        QM_IDLE              1    0 ACTIVE

 

R3#

R3#

R3#

R3#

R3#sh cry ip sa 

 

interface: FastEthernet0/0

    Crypto map tag: cisco, local addr 30.1.1.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

   current_peer 10.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 8, #recv errors 0

 

     local crypto endpt.: 30.1.1.1, remote crypto endpt.: 10.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x80BEEF5D(2159996765)

 

     inbound esp sas:

      spi: 0x4B276839(1260873785)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: cisco

        sa timing: remaining key lifetime (k/sec): (4519227/2825)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x80BEEF5D(2159996765)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: cisco

        sa timing: remaining key lifetime (k/sec): (4519227/2824)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

R3# 

R3#

R3#

R3#

R3#

R3#sh cry en conn a

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 FastEthernet0/0      30.1.1.1        set    HMAC_SHA+DES_56_CB        0        0

2001 FastEthernet0/0      30.1.1.1        set    DES+MD5                   0        5

2002 FastEthernet0/0      30.1.1.1        set    DES+MD5                   5        0

 

 

 

 

 

所有配置如上,这样就能实现L2L的HUB SPOKEN访问

当然,有个前提需要注意:这样的拓扑只能由SPOKEN端先发起访问 HUB端先访问SPOKEN是不能实现的,原因是他那里没有写ACL 不能抓匹配的感兴趣流

而当SPOKEN先和HUB协商建立以后(包括第一、第二阶段协商),HUB端访问SPOKEN端就有匹配的条目了

 

 

附加问题:可以考虑下如何实现HUB也能主动协商SPOKEN端

能否实现全互联的L2L ×××

当R2的loopback口为2.2.2.2/32 当R3 lookback口为2.2.3.3/16 结构怎么实现 有什么现象

 

最后,感谢上海WOLF的杨老师