该配置实验详细展示了MGRE(多点 GRE)的实现过程,包括选择NHS,配置隧道接口和NHRP。同时,实验涵盖了PPP的PAP和CHAP认证,以及HDLC封装的使用。在R1和R5之间,通过PPP的PAP和CHAP验证了认证成功。接着,配置了GRE隧道,并在R1上启用RIP协议,通过关闭水平分割来确保路由信息的传播。最后,通过NAT配置,实现了PC与网络的通信。
MGRE 原理:
需要在私网中选择一个出接口物理地址固定的设备为NHS(NHS——下一跳解析服务器),剩下的所有分支都应该知道中心的隧道地址和物理地址,然后NHRP要求所有分支将自己的的物理接口和隧道接口的ip地址的映射关系发送给NHS,如果物理地址发生变化,则需要重新发送,这样NHS可以获取到所有分支的地址的映射关系。
MGRE综合实验
配置ip
R1:
S 4/0/0 15.0.0.1
G 0/0/0 192.168.1.1
R2:
S 4/0/0 25.0.0.1
G 0/0/0 192.168.2.1
R3:
S 4/0/0 35.0.0.1
G 0/0/0 192.168.3.1
R4:
G 0/0/0 45.0.0.1
G 0/0/1 192.168.4.1
R5:
S 3/0/0 15.0.0.2
S 3/0/0 25.0.0.2
S 4/0/0 35.0.0.2
G 0/0/0 45.0.0.2
所有边界设备都有1条缺省指向ISP
[r4]ip route-static 0.0.0.0 0 45.0.0.2
需求1已完成。
需求2:
R1和R5之间使用PPP的PAP认证,R5为主认证方
在R5(ISP)上:
[isp-aaa]local-user admin password cipher 123456 #建立一个用户admin
[isp-aaa]local-user admin service-type ppp #认证类型ppp
[isp-Serial3/0/0]ppp authentication-mode pap #在对应接口开启pap认证
在R1上:
[r1-Serial4/0/0]ppp pap local-user admin password cipher 123456
由于PPP的会话是一次性的,会话建立成功之后,再修改参数(认证信息之类)不影响会话,即会话不断开。R1和R5之间本身的认证类型也是PPP,所以为了验证PPP的PAP认证是否建立成功,先断开会话再重新建立。
[r1-Serial4/0/0]shutdown
[r1-Serial4/0/0]undo shutdown
重新建立后查看路由信息
[r1-Serial4/0/0]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 3
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 3
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.1.1/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
Serial4/0/0 15.0.0.1/24 up up
Serial4/0/1 unassigned down down
[r1-Serial4/0/0]ping 15.0.0.2
PING 15.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 15.0.0.2: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 15.0.0.2: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 15.0.0.2: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 15.0.0.2: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 15.0.0.2: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 15.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/30/50 ms
#可以ping通,R1和R5之间PPP的PAP认证成功
R2和R5之间使用PPP的CHAP认证,R5为主认证方
在R5上:
[isp-Serial3/0/1]ppp authentication-mode chap #开启CHAP认证
在R2上:
[r2-Serial4/0/0]ppp chap user admin
[r2-Serial4/0/0]ppp chap password cipher 123456 #建立chap认证,用户admin,设置密码
同样也shutdown再undo shutdown,验证认证连接。
[r2-Serial4/0/0]ping 25.0.0.2
PING 25.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 25.0.0.2: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 25.0.0.2: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 25.0.0.2: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 25.0.0.2: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 25.0.0.2: bytes=56 Sequence=5 ttl=255 time=30 ms
--- 25.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/28/50 ms
#可以Ping通,认证成功
R3与R5之间使用HDLC封装。(华为默认PPP,此处仅需修改为HDLC即可)
在R3上:
[r3-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y
[r3-Serial4/0/0]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 3
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 4
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.3.1/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
Serial4/0/0 35.0.0.1/24 up down
Serial4/0/1 unassigned down down
#只在R3上修改封装方式后导致接口up&down(因为R5还是PPP封装,所以不能通信)
在R5上:
[isp-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y
[isp-Serial4/0/0]display ip interface brief
Serial4/0/0 35.0.0.2/24 up up
#查看路由信息,已恢复到双up状态
需求2已完成
需求3:
R1(中心站点)
在R1上创建一个隧道接口,配置ip
[r1]int Tunnel 0/0/0 #创建隧道
[r1-Tunnel0/0/0]ip address 192.168.5.1 24 #为隧道接口配置ip
[r1-Tunnel0/0/0]tunnel-protocol gre p2mp #定义封装类型GRE
[r1-Tunnel0/0/0]source 15.0.0.1 #源ip(中心站点,固定)
Jul 11 2022 21:49:59-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface Tunnel0/0/0 has entered the UP state.
[r1-Tunnel0/0/0]nhrp network-id 100 #创建nhrp域(全局)
在R2上
[r2]interface Tunnel 0/0/0 #创建隧道
[r2-Tunnel0/0/0]ip address 192.168.5.2 24 #配置隧道接口的ip
[r2-Tunnel0/0/0]tunnel-protocol gre p2mp #协议为GRE,一对多,P2MP
[r2-Tunnel0/0/0]source s 4/0/0 #源ip不固定,所以写出接口
Jul 11 2022 21:54:46-08:00 r2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface Tunnel0/0/0 has entered the UP state.
[r2-Tunnel0/0/0]nhrp network-id 100 #加入nhrp域
[r2-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 register #告知中心的虚拟ip和真实ip
在R3上(同R2):
[r3]int t 0/0/0
[r3-Tunnel0/0/0]ip address 192.168.5.3 24
[r3-Tunnel0/0/0]tunnel-protocol gre p2mp
[r3-Tunnel0/0/0]source s 4/0/0
Jul 11 2022 22:00:35-08:00 r3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface Tunnel0/0/0 has entered the UP state.
[r3-Tunnel0/0/0]nhrp network-id 100
[r3-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 register
在R1上查看:
[r1-Tunnel0/0/0]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
192.168.5.2 32 25.0.0.1 192.168.5.2 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:02:48
Expire time : 01:57:12
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
192.168.5.3 32 35.0.0.1 192.168.5.3 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:00:07
Expire time : 01:59:53
Number of nhrp peers: 2
R1和R4之间为点到点的GRE
在R1上:
[r1]interface t 0/0/1
[r1-Tunnel0/0/1]ip address 192.168.6.1 24
[r1-Tunnel0/0/1]tunnel-protocol gre #点到点间的GRE
[r1-Tunnel0/0/1]source 15.0.0.1 #源ip
[r1-Tunnel0/0/1]destination 45.0.0.1 #目标ip (因为是点对点,所以固定)
Jul 11 2022 22:04:43-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface Tunnel0/0/1 has entered the UP state.
在R4上(同理R1):
[r4]int t 0/0/0
[r4-Tunnel0/0/0]ip address 192.168.6.2 24
[r4-Tunnel0/0/0]tunnel-protocol gre
[r4-Tunnel0/0/0]source 45.0.0.1
[r4-Tunnel0/0/0]destination 15.0.0.1
Jul 11 2022 22:05:35-08:00 r4 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface Tunnel0/0/0 has entered the UP state.
需求4:
在R1上:
[r1-Tunnel0/0/0]nhrp entry multicast dynamic #开启伪广播
[r1]rip #配置RIP协议
[r1-rip-1]version 2 #版本
[r1-rip-1]network 192.168.1.0 #宣告
[r1-rip-1]network 192.168.5.0
[r1-rip-1]network 192.168.6.0
[r1-Tunnel0/0/0]undo rip split-horizon #关闭水平分割(不关的话会由于水平分割机制收不到R2和R3的路由信息)
在R2上:
[r2]rip
[r2-rip-1]version 2
[r2-rip-1]network 192.168.5.0
[r2-rip-1]network 192.168.2.0
在R3上:
[r3]rip
[r3-rip-1]v 2
[r3-rip-1]network 192.168.3.0
[r3-rip-1]network 192.168.5.0
在R4上:
[r4]rip
[r4-rip-1]v 2
[r4-rip-1]ne
[r4-rip-1]network 192.168.4.0
[r4-rip-1]network 192.168.6.0
需求5:
给所有PC配置ip
此处以PC4为例:
在每个边界设备(R1/R2/R3/R4)上做一条nat
[r1]acl 2000
[r1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[r1-acl-basic-2000]q
[r1]int s 4/0/0
[r1-Serial4/0/0]nat outbound 2000
此处以PC2为例,配置之前PC2无法与R5通信,配置后可以ping通5.5.5.5
完成所有实验需求。
1390
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
