虚拟专用网(×××)被定义为通过一个公用网络(通常是因特网)建立一个临时的、安全的连接,是一条穿过混乱的公用网络的安全、稳定的隧道。虚拟专用网是对企业内部网的扩展。
虚拟专用网可以帮助远程用户、公司分支机构、商业伙伴及供应商同公司的内部网建立可信的安全连接,并保证数据的安全传输。通过将数据流转移到低成本的压网络上,一个企业的虚拟专用网解决方案将大幅度地减少用户花费在城域网和远程网络连接上的费用。同时,这将简化网络的设计和管理,加速连接新的用户和网站。另外,虚拟专用网还可以保护现有的网络投资。随着用户的商业服务不断发展,企业的虚拟专用网解决方案可以使用户将精力集中到自己的生意上,而不是网络上。虚拟专用网可用于不断增长的移动用户的全球因特网接入,以实现安全连接;可用于实现企业网站之间安全通信的虚拟专用线路,用于经济有效地连接到商业伙伴和用户的安全外联网虚拟专用网。
下面我们来讲一下
***中的
GRE Tunnel在华为、思科设备上的实现方法。
实验背景:主公司和分公司想通过公网访问对方的私有资源。
需求分析:可以通过
***在换上新包头穿过因特网,然后,到达对方网关时,去掉包头,就像直连网络一样。
拓扑图:
实验设备:
两台路由器,一台三层交换机和两台
pc
华为配置
[r1]dis cu
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1
ip address 61.130.130.1 255.255.255.252
!
interface Tunnel10
link-protocol tunnel
ip address 192.168.4.1 255.255.255.0
source 61.130.130.1
destination 61.130.132.1
!
quit
ip route-static 0.0.0.0 0.0.0.0 61.130.130.2 preference 60
ip route-static 192.168.2.0 255.255.255.0 Tunnel 10 preference 60
!
return
[r1]
[r1]dis ip rout
Routing Tables:
Destination/Mask Proto Pref Metric Nexthop Interface
0.0.0.0/0 Static 60 0 61.130.130.2 Ethernet1
61.130.130.0/30 Direct 0 0 61.130.130.1 Ethernet1
61.130.130.1/32 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.0/8 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.0/24 Direct 0 0 192.168.1.254 Ethernet0
192.168.1.254/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.2.0/24 Static 60 0 192.168.4.1 Tunnel10
192.168.4.0/24 Direct 0 0 192.168.4.1 Tunnel10
192.168.4.1/32 Direct 0 0 127.0.0.1 LoopBack0
[r1]
[r2]dis cu
interface Ethernet0
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet1
ip address 61.130.132.1 255.255.255.252
!
interface Tunnel20
link-protocol tunnel
ip address 192.168.4.2 255.255.255.0
source 61.130.132.1
destination 61.130.130.1
!
quit
ip route-static 0.0.0.0 0.0.0.0 61.130.132.2 preference 60
ip route-static 192.168.1.0 255.255.255.0 Tunnel 20 preference 60
!
return
[r2]
[r2]dis ip rout
Routing Tables:
Destination/Mask Proto Pref Metric Nexthop Interface
0.0.0.0/0 Static 60 0 61.130.132.2 Ethernet1
61.130.132.0/30 Direct 0 0 61.130.132.1 Ethernet1
61.130.132.1/32 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.0/8 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.0/24 Static 60 0 192.168.4.2 Tunnel20
192.168.2.0/24 Direct 0 0 192.168.2.254 Ethernet0
192.168.2.254/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.4.0/24 Direct 0 0 192.168.4.2 Tunnel20
192.168.4.2/32 Direct 0 0 127.0.0.1 LoopBack0
[r2]
<isp>dis cu
#
sysname isp
#
vlan 1
#
vlan 10
#
vlan 20
#
interface Vlan-interface10
ip address 61.130.130.2 255.255.255.252
#
interface Vlan-interface20
ip address 61.130.132.2 255.255.255.252
#
interface Ethernet0/10
port access vlan 10
#
interface Ethernet0/20
port access vlan 20
#
<isp>
<isp>dis ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
61.130.130.0/30 DIRECT 0 0 61.130.130.2 Vlan-interface10
61.130.130.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
61.130.132.0/30 DIRECT 0 0 61.130.132.2 Vlan-interface20
61.130.132.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
<isp>
测试:
pc1ping pc2
穿过3个三层设备
思科配置
r1#show runn
interface Tunnel10
ip address 192.168.4.1 255.255.255.252
tunnel source 61.130.130.1
tunnel destination 61.130.132.1
!
interface Ethernet0/0
ip address 192.168.1.254 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 61.130.130.1 255.255.255.252
half-duplex
!
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
ip route 192.168.2.0 255.255.255.0 Tunnel10
r1#
r1#show ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Tunnel10
C 192.168.1.0/24 is directly connected, Ethernet0/0
S 192.168.2.0/24 is directly connected, Tunnel10
61.0.0.0/30 is subnetted, 1 subnets
C 61.130.130.0 is directly connected, Ethernet0/1
S* 0.0.0.0/0 is directly connected, Ethernet0/1
r1#
isp#show runn
hostname isp
!
interface Ethernet0/1
ip address 61.130.130.2 255.255.255.252
half-duplex
!
interface Ethernet0/2
ip address 61.130.132.2 255.255.255.252
half-duplex
!
isp#
isp#show ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
61.0.0.0/30 is subnetted, 2 subnets
C 61.130.132.0 is directly connected, Ethernet0/2
C 61.130.130.0 is directly connected, Ethernet0/1
isp#
r2#show runn
hostname r2
!
interface Tunnel20
ip address 192.168.4.2 255.255.255.252
tunnel source 61.130.132.1
tunnel destination 61.130.130.1
!
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 61.130.132.1 255.255.255.252
half-duplex
!
r2#
r2#show ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Tunnel20
S 192.168.1.0/24 is directly connected, Tunnel20
C 192.168.2.0/24 is directly connected, Ethernet0/0
61.0.0.0/30 is subnetted, 1 subnets
C 61.130.132.0 is directly connected, Ethernet0/1
S* 0.0.0.0/0 is directly connected, Ethernet0/1
r2#
测试
Pc1ping pc2
pc1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/148/172 ms
pc1#
Pc2pingpc1
pc2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/147/204 ms
pc2#
路由追踪
pc1#traceroute ip
Target IP address: 192.168.2.1
Source address: 192.168.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 192.168.2.1
1 192.168.1.254 68 msec 36 msec 52 msec
2 192.168.4.2 100 msec 136 msec 140 msec
3 192.168.2.1 188 msec 228 msec *
pc1#
转载于:https://blog.51cto.com/zhoulinjun/1180325
扫一扫
255
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
