溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
高級網絡綜合實戰架構案例
實驗拓樸描述:
1. SW1-3,SW2-3,為內部三層交換機,負責內部通向外部和內部網段之間的數據交換轉發,SW3,SW4,SW5為內部接入層交換機,負責內部網絡接入,R3為連接內外到外部和區域間的路由器.形成了一個內部網絡結構.(區域0)
2. R4為內部區域1路由器,連接區域1內網絡,R3為連接區域1到外部和內部區域0的路由器.
3. R1為遠程內部網絡區域2中連接內部網絡和外部網絡的路由器,且是連接R3和區域0配置站點到站點×××的路由器.
4. R2為互聯網上路由器..連接所有內部網絡.
5. 接入層3臺交換機“Catalyst2950-48”匯聚層2臺3層交換機“CISCO3550-48” 路由器4臺cisco 2600xm。
實驗相關IP配置:
1. Sw1-3三層交換機上面配置:Vlan2:192.168.1.1/24
Vlan3:192.168.4.1/24
Vlan4:192.168.5.1/24
Vlan5:192.168.6.1/24
2. Sw2-3三層交換機面配置: Vlan2:192.168.1.2/24
Vlan3:192.168.4.2/24
Vlna4:192.168.5.2/24
Vlan5:192.168.6.2/24
3. HSRP虛擬地址: Vlan2:192.168.1.254.
Vlan3:192.168.4.254.
Vlan4:192.168.5.254.
Vlan5:192.168.6.254.
4. ×××兩端虛擬隧道地址: R3:1.1.1.1/24
R1:1.1.1.2/24
5.NAT采用端口復用地址轉換。“S0/1”
實驗相關協議簡介:
1. VTP協議:VLAN中繼協議(VTP,VLAN TRUNKING PROTOCOL)是CISCO專 用協議,大多數交換機都支持該協議.VTP負責在VTP域內同步VLAN信息,這樣就不必在每個交換上配置相同的VLAN信息.
2. STP協議:STP(Spanning Tree Protocol)是生成樹協議的英文縮寫。該協議可應用于環路網絡,通過一定的算法實現路徑冗余,同時將環路網絡修剪成無環路的樹型網絡,從而避免報文在環路網絡中的增生和無限循環。
3. OSPF協議:OSPF(Open Shortest Path First)是一個內部網關協議(Interior Gateway Protocol,簡稱IGP),用于在單一自治系統(autonomous system,AS)內決策路由。與RIP相對,OSPF是鏈路狀態路由協議,而RIP是距離向量路由協議。(外部網關協議為:Exterior Gateway,Protocols EGP)
4. HSRP協議:HSRP:熱備份路由器協議(HSRP:Hot Standby Router Protocol,熱備份路由器協議(HSRP)的設計目標是支持特定情況下 IP 流量失敗轉移不會引起混亂、并允許主機使用單路由器,以及即使在實際第一跳路由器使用失敗的情形下仍能維護路由器間的連通性。換句話說,當源主機不能動態知道第一跳路由器的 IP 地址時,HSRP 協議能夠保護第一跳路由器不出故障。該協議中含有多種路由器,對應一個虛擬路由器。HSRP 協議只支持一個路由器代表虛擬路由器實現數據包轉發過程。終端主機將它們各自的數據包轉發到該虛擬路由器上。負責轉發數據包的路由器稱之為主動路由器(Active Router)。一旦主動路由器出現故障,HSRP 將激活備份路由器(Standby Routers)取代主動路由器。HSRP 協議提供了一種決定使用主動路由器還是備份路由器的機制,并指定一個虛擬的 IP 地址作為網絡系統的缺省網關地址。如果主動路由器出現故障,備份路由器(Standby Routers)承接主動路由器的所有任務,并且不會導致主機連通中斷現象,HSRP 運行在 UDP 上,采用端口號1985。路由器轉發協議數據包的源地址使用的是實際 IP 地址,而并非虛擬地址,正是基于這一點,HSRP 路由器間能相互識別.
5. NAT協議: NAT英文全稱是“Network Address Translation”,中文意思是“網絡地址轉換”,它是一個IETF(Internet Engineering Task Force, Internet工程任務組)標準,允許一個整體機構以一個公用IP(Internet Protocol)地址出現在Internet上。顧名思義,它是一種把內部私有網絡地址(IP地址)翻譯成合法網絡IP地址的技術。
6. ×××協議:×××的英文全稱是“Virtual Private Network”,翻譯過來就是“虛擬專用網絡”。顧名思義,虛擬專用網絡我們可以把它理解成是虛擬出來的企業內部專線,虛擬專用網(×××)被定義為通過一個公用網絡(通常是因特網)建立一個臨時的、安全的連接,是一條穿過混亂的公用網絡的安全、穩定的隧道。
實驗目標:
1. 通過網絡拓樸結構配置VTP協議,STP生成樹協議使內部網絡具有高效而穩定的性能,從而對鏈路形成冗余功能,
2. 在不同區域中啟用OSPF鏈路狀態路由協議,使網絡互通.
3. 通過配置HSRP熱備份路由協議,確保邊緣設備出現故障時,用戶可正常工作.
4. 在R3上面配置NAT端口地址復用轉換是內部指定網絡可以訪問外部網絡.
5. 在R1和R3上面配置站點TO站點××× ,使兩個站點內部網絡可以安全互通.
6. 通過以上的配置形成一個高效,穩定的,安全的,且有冗余功能的網絡結構.
實驗步驟詳解:
配置前相關設置:(如要設備是新的則不用配置)
#Clear line 1---8 清除指定線路(8腳線)
#erase statup-config 清除配置。
#reload 重啟設備,
#show flash: 查看之前的vlans配置數據庫。
#delete flash:vlan.dat 刪除之前的vlan配置數據庫。
1.配置VTP:
sw1-3(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw1-3(vlan)#vtp server
Device mode already VTP SERVER.
sw1-3(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw1-3(vlan)#vtp v2-mode
V2 mode enabled.
sw1-3(vlan)#vtp pruning
Pruning switched ON
sw2-3(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw2-3(vlan)#vtp domain server
Changing VTP domain name from test to server
sw2-3(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw2-3(vlan)#vtp v2-mode
V2 mode enabled.
sw2-3(vlan)#vtp pruning
Pruning switched ON
sw3(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw3(vlan)#vtp client
Setting device to VTP CLIENT mode.
sw3(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw4(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw4(vlan)#vtp client
Setting device to VTP CLIENT mode.
sw4(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw4(vlan)#exit
sw5(vlan)#vtp domain test
Changing VTP domain name from NULL to test
sw5(vlan)#vtp client
Setting device to VTP CLIENT mode.
sw5(vlan)#vtp password 111111
Setting device VLAN database password to 111111.
sw1-3#show vtp status
VTP Version : 2
Configuration Revision : 5
Maximum VLANs supported locally : 256
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : test
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x2B 0xF6 0xD8 0xE3 0x28 0x13 0x8F 0xC4
Configuration last modified by 0.0.0.0 at 3-1-02 00:15:38
Local updater ID is 192.168.1.1 on interface Vl2 (lowest numbered VLAN interface found)
2.TRUNK配置:
sw1-3(config)#in range f0/14 - 15
sw1-3(config-if-range)#switchport mode trunk
sw1-3(config-if-range)#no sh
sw1-3(config)#in range f0/1 - 3
sw1-3(config-if-range)#switchport mode trunk
sw1-3(config-if-range)#no sh
sw2-3(config)#in range f0/14 - 15
sw2-3(config-if-range)#switchport mode trunk
sw2-3(config-if-range)#no sh
sw2-3(config)#in range f0/1 - 3
sw2-3(config-if-range)#switchport mode trunk
sw2-3(config-if-range)#no sh
sw3(config)#in range f0/1 - 2
sw3(config-if-range)#switchport mode trunk
sw3(config-if-range)#no sh
sw4(config)#in range f0/1 - 2
sw4(config-if-range)#switchport mode trunk
sw4(config-if-range)#no sh
sw5(config)#in range f0/1 - 2
sw5(config-if-range)#switchport mode trunk
sw5(config-if-range)#no sh
sw1-3#show interfaces trunk 測試
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/14 on 802.1q trunking 1
Fa0/15 on 802.1q trunking 1
3.VLAN 配置:
sw1-3#vlan da
sw1-3(vlan)#vlan 2 name v2
VLAN 2 added:
Name: v2
sw1-3(vlan)#apply
APPLY completed.
sw1-3(vlan)#vlan 3 name v3
VLAN 3 added:
Name: v3
sw1-3(vlan)#apply
APPLY completed.
sw1-3(vlan)#vlan 4 name v4
VLAN 4 added:
Name: v4
sw1-3(vlan)#apply
APPLY completed.
sw1-3(vlan)#vlan 5 name v5
VLAN 5 added:
Name: v5
sw1-3(vlan)#apply
APPLY completed.
sw1-3#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
sw2-3#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
sw3#show vlan-switch 測試客戶端是否學到VLAN
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
sw4#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
w5#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
2 v2 active
3 v3 active
4 v4 active
5 v5 active
1002 fddi-default active
1003 trcrf-default active
1004 fddinet-default active
1005 trbrf-default active
4.開啟以太網通道:
w1-3(config)#in range f0/14 - 15
sw1-3(config-if-range)#channel-group 1 mode on
sw1-3#show ip in br
Port-channel1 unassigned YES unset up up
sw2-3(config)#in range f0/14 - 15
sw2-3(config-if-range)#channel-group 1 mode on
sw2-3#show ip in br
Interface IP-Address OK? Method Status
Port-channel1 unassigned YES unset up up
5.配置STP生成協議:
將SWITCH1配置為VLAN3、VLAN5的根橋,VLAN2、VLAN4的次根橋
將SWITCH2配置為VLAN2、VLAN4的根橋,VLAN3、VLAN5的次根橋
sw1-3(config)#spanning-tree vlan 3 root primary
sw1-3(config)#spanning-tree vlan 5 root primary
sw1-3(config)#spanning-tree vlan 2 root secondary
sw1-3(config)#spanning-tree vlan 4 root secondary
sw2-3(config)#spanning-tree vlan 2 root primary
sw2-3(config)#spanning-tree vlan 4 root primary
sw2-3(config)#spanning-tree vlan 5 root secondary
sw2-3(config)#spanning-tree vlan 3 root secondary
6.驗證STP配置
Sw3(config)#show spanning-tree br
VLAN2
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0001 128.2
FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0001 128.2
VLAN3
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0002 128.2
FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0002 128.2
VLAN4
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0003 128.2
FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0003 128.2
VLAN5
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0004 128.2
FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0004 128.2
7.配置路由接口:
sw1-3(config)#in f0/0
sw1-3(config-if)#no switchport 關閉接×××換功能
sw1-3(config-if)#ip add 192.168.10.2 255.255.255.252
sw1-3(config-if)#no sh
sw2-3(config)#in f0/0
sw2-3(config-if)#no switchport
sw2-3(config-if)#ip add 192.168.10.6 255.255.255.252
sw2-3(config-if)#no sh
8.路由相關IP配置:
r3#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 192.168.10.9 YES manual up up
Serial0/1 202.0.0.1 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
FastEthernet1/0 192.168.10.1 YES manual up up
FastEthernet2/0 192.168.10.5 YES manual up up
r4#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 192.168.10.10 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback0 6.6.6.6 YES manual up up
r2#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 201.0.0.1 YES manual up up
Serial0/1 202.0.0.2 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
r1#show ip in br
Interface IP-Address OK? Method Status Protocol
Serial0/0 201.0.0.1 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback0 7.7.7.7 YES manual up up
sw1-3#show ip in br
Protocol
Vlan2 192.168.1.1 YES manual up up
Vlan3 192.168.4.1 YES manual up up
Vlan4 192.168.5.1 YES manual up up
Vlan5 192.168.6.1 YES manual up up
sw1-3#
sw2-3#show ip in br
Protocol
Vlan2 192.168.1.2 YES manual up up
Vlan3 192.168.4.2 YES manual up up
Vlan4 192.168.5.2 YES manual up up
Vlan5 192.168.6.2 YES manual up up
9.OSPF配置
sw1-3(config)#ip routing 啟動路由功能
sw1-3(config)#router ospf 100
sw1-3(config-router)#network 192.168.10.2 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.1.1 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.4.1 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.5.1 0.0.0.0 area 0
sw1-3(config-router)#network 192.168.6.1 0.0.0.0 area 0
sw2-3(config)#router ospf 100
sw2-3(config-router)#network 192.168.10.6 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.1.2 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.4.2 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.5.2 0.0.0.0 area 0
sw2-3(config-router)#network 192.168.6.2 0.0.0.0 area 0
sw1-3#show ip route 測試
O 192.168.10.4/30 [110/2] via 192.168.6.2, 00:39:43, Vlan5
[110/2] via 192.168.5.2, 00:39:43, Vlan4
[110/2] via 192.168.4.2, 00:39:43, Vlan3
[110/2] via 192.168.1.2, 00:39:43, Vlan2
sw2-3#show ip route
O 192.168.10.0 [110/2] via 192.168.6.1, 00:00:35, Vlan5
[110/2] via 192.168.5.1, 00:00:35, Vlan4
[110/2] via 192.168.4.1, 00:00:35, Vlan3
[110/2] via 192.168.1.1, 00:00:35, Vlan2
r3(config)#router ospf 100
r3(config-router)#network 192.168.10.1 0.0.0.0 area 0
r3(config-router)#network 192.168.10.5 0.0.0.0 area 0
r3(config-router)#network 192.168.10.9 0.0.0.0 area 1
r3(config)#ip route 0.0.0.0 0.0.0.0 202.0.0.2 配置靜態缺省路由,是之能夠訪問外部網絡。
r3(config)#router ospf 100
r3(config-router)#default-information originate 向連接在自己上面的內部末梢網絡路由器宣告一個出向外部的缺省路由(此命令用于末梢網絡)
r4(config)#router ospf 100
r4(config-router)#network 192.168.10.10 0.0.0.0 area 1
r4(config-router)#network 6.6.6.6 0.0.0.0 area 1
測試(default-intormation originate 命令的結果)
r4#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0 去向外部的缺省路由
sw1-3#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:00:28, FastEthernet0/0 去向外部的缺省路由
sw2-3#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.5, 00:03:01, FastEthernet0/0 去向外部的缺省路由
r1(config)#router ospf 100
r1(config-router)#network 7.7.7.7 0.0.0.0 area 2
r1(config)#ip route 0.0.0.0 0.0.0.0 201.0.0.2
r3#show ip route 測試
6.0.0.0/32 is subnetted, 1 subnets
O 6.6.6.6 [110/65] via 192.168.10.10, 11:19:33, Serial0/0
O 192.168.4.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
O 192.168.5.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
O 192.168.6.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
O 192.168.1.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0
[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 202.0.0.2
r4#show ip route
192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks
O IA 192.168.10.0/30 [110/65] via 192.168.10.9, 00:48:10, Serial0/0
O IA 192.168.10.4/30 [110/65] via 192.168.10.9, 13:45:10, Serial0/0
O 192.168.10.8/30 [110/128] via 192.168.10.9, 13:45:10, Serial0/0
7.0.0.0/32 is subnetted, 1 subnets
O IA 7.7.7.7 [110/11176] via 192.168.10.9, 11:22:27, Serial0/0
O IA 192.168.4.0/24 [110/66] via 192.168.10.9, 01:31:50, Serial0/0
O IA 192.168.5.0/24 [110/66] via 192.168.10.9, 01:31:40, Serial0/0
O IA 192.168.6.0/24 [110/66] via 192.168.10.9, 01:31:17, Serial0/0
O IA 192.168.1.0/24 [110/66] via 192.168.10.9, 01:32:05, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0
r2#show ip route
C 201.0.0.0/24 is directly connected, Serial0/0
C 202.0.0.0/24 is directly connected, Serial0/1
r1#show ip route
C 201.0.0.0/24 is directly connected, Serial0/0
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 201.0.0.2
sw1-3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1 150 防止路由條目斗動,多添加一條缺省路目條目,當剛才那條路由條目故障時,則用這條。OK狀態下是看不到那條目的。
sw2-3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.5 150 防止路由條目斗動
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.9 150 防止路由條目斗動
10.HSRP熱備份路由協議配置:
sw1-3(config)#in vlan 2
sw1-3(config-if)#no ip redirects 關閉端口重定向。
sw1-3(config-if)#standby 50 ip 192.168.1.254 配置 HSRP 成員
sw1-3(config-if)#standby 50 priority 150 優先級為 150
sw1-3(config-if)#standby 50 preempt 配置占先權
sw1-3(config)#in vlan 3
sw1-3(config-if)#standby 47 ip 192.168.4.254 配置 HSRP 成員
sw1-3(config-if)#standby47 priority 200 優先級為 200
sw1-3(config-if)#no ip redirects 關閉端口重定向。
sw1-3(config-if)#standby 47 preempt 配置占先權
sw1-3(config-if)#standby 47 track f0/0 100 配置端口跟蹤
sw1-3(config)#in vlan 4
ssw1-3(config-if)#standby 51 ip 192.168.5.254
sw1-3(config-if)#standby 51 priority 150
sw1-3(config-if)#standby 51 preempt
sw1-3(config-if)#no ip redirects
sw1-3(config)#in vlan 5
sw1-3(config-if)#no ip redirects
sw1-3(config-if)#standby 48 ip 192.168.6.254
sw1-3(config-if)#standby48 priority 200
sw1-3(config-if)#standby48 preempt
sw1-3(config-if)#standby 48 track f0/0 100
sw2-3(config)#in vlan 3
sw2-3(config-if)#standby 47ip 192.168.4.254
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 47 priority 150
sw2-3(config-if)#standby 47 preempt
sw2-3(config)#in vlan 2
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 50 ip 192.168.1.254
sw2-3(config-if)#standby 50 priority 200
sw2-3(config-if)#standby50 preempt
sw1-3(config-if)#standby 50 track f0/0 100
sw2-3(config)#in vlan 4
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 51 ip 192.168.5.254
sw2-3(config-if)#standb 51 priority 200
sw2-3(config-if)#standby 51 preempt
sw1-3(config-if)#standby 51 track f0/0 100
sw2-3(config)#in vlan 5
sw2-3(config-if)#no ip redirects
sw2-3(config-if)#standby 48ip 192.168.6.254
sw2-3(config-if)#standb 48 priority 150
sw2-3(config-if)#standb 48 preempt
sw1-3#debug standby 查看配置結果 (方法1)
sw1-3# show standby br 查看配置結果(方法2)
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254
Vl3 47 200 P Active local 192.168.4.2 192.168.4.254
Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254
Vl5 48 200 P Active local 192.168.6.2 192.168.6.254
sw2-3#show standby br
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 200 P Active local 192.168.1.1 192.168.1.254
Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254
Vl4 51 200 P Active local 192.168.5.1 192.168.5.254
Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254
sw1-3(config)#in f0/0
sw1-3(config-if)#sh 關閉跟蹤接口.測試主備間的轉換
sw1-3(config)#do show stan br
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254
Vl3 47 100 P Standby 192.168.4.2 local 192.168.4.254
Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254
Vl5 48 100 P Standby 192.168.6.2 local 192.168.6.254
sw2-3#show standby br
|
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 200 P Active local 192.168.1.1 192.168.1.254
Vl3 47 150 P Active local 192.168.4.1 192.168.4.254
Vl4 51 200 P Active local 192.168.5.1 192.168.5.254
Vl5 48 150 P Active local 192.168.6.1 192.168.6.254
sw1-3(config)#in f0/0
sw1-3(config-if)#no sh 二次啟動跟蹤端口,
sw1-3# show standby br 查看配置結果
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254
Vl3 47 200 P Active local 192.168.4.2 192.168.4.254
Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254
Vl5 48 200 P Active local 192.168.6.2 192.168.6.254
sw2-3#show standby br
Interface Grp Prio P State Active Standby Virtual IP
Vl2 50 200 P Active local 192.168.1.1 192.168.1.254
Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254
Vl4 51 200 P Active local 192.168.5.1 192.168.5.254
Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254
測試成功:
12.NAT配置(端口復用)
方法1:
r3(config)#access-list 1 permit 192.168.0.0 0.0.255.255 設置感興趣的流量
r3(config)#route-map fornat permit 10 建路由策略優先級10
r3(config-route-map)#match ip add 1 抓取列表1的流量。
r3(config)#ip nat inside source route-map fornat interface s0/1 overload NAT端口復用轉換
方法2:
r3(config)#access-list 1 permit 192.168.0.0 0.0.255.255
r3(config)#ip nat inside source list 1 interface s0/1 overload
r3(config)#in s0/1
r3(config-if)#ip nat outside
r3(config)#in s0/0
r3(config-if)#ip nat inside
r3(config)#in f1/0
r3(config-if)#ip nat inside
r3(config)#in f2/0
r3(config-if)#ip nat inside
sw2-3#ping 201.0.0.1 source 192.168.1.2 測試NAT配置結果
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/193/292 ms
r3#show ip nat translations NAT轉換分析
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:4 192.168.1.2:4 201.0.0.1:4 201.0.0.1:4
sw1-3#ping 201.0.0.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 156/200/312 ms
r3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:19 192.168.1.1:19 201.0.0.1:19 201.0.0.1:19
r4#ping 201.0.0.1 source 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/208/284 ms
r3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:17 192.168.10.10:17 201.0.0.1:17 201.0.0.1:17
13.×××站點到站點配置:
r3(config)#crypto isakmp enable 啟動IKE協商
r3(config)#crypto isakmp policy 10 建立編號為"10"的IKE協商策略
r3(config-isakmp)#hash md5 配置密碼認證的方法為"md5"
r3(config-isakmp)#authentication pre-share 配置路由器使用預先共享的密鑰.
r3(config-isakmp)#encryption des 配置加密所使用的算法."DES
r3(config)#crypto isakmp key 0 qqq111,,, address 201.0.0.1 配置安全連接對端的要使的密碼和對端IP地址。
r3(config)#crypto ipsec transform-set for*** esp-des esp-md5-hmac (配置IPSec 將同時使用AH和ESP協議,使用傳輸模式名稱為"for***",其中AH的驗證采用MD5的算法,ESP加密采用DES的算法.(AH只能驗證,不能加密,而ESP能加密,還能驗證,但功能,比AH差一些.)
r3(cfg-crypto-trans)#exit
r3(config)#crypto ipsec profile site2site 指定sitetosit用上面所配置密碼鑰匙扣協商
r3(ipsec-profile)#set transform-set for*** 指定使用傳輸模式
r3(ipsec-profile)#exit
r3(config)#in tunnel 0 進入虛擬隧道 0
r3(config-if)#ip add 1.1.1.1 255.255.255.0 配置IP地址。
r3(config-if)#tunnel source s0/1 虛擬隧道原接口
r3(config-if)#tunnel destination 201.0.0.1 虛擬隧道目標地址。
r3(config-if)#tunnel protection ipsec profile site2site 此隧道應用于“site2site”
r3(config-if)#no sh
r3(config)#router ospf 100 宣告此地址。
r3(config-router)# network 1.1.1.1 0.0.0.0 area 2
r3#show ip in br
Tunnel0 1.1.1.1 YES manual up up
r1(config)#crypto isakmp enable
r1(config)#crypto isakmp policy 10
r1(config-isakmp)#hash md5
r1(config-isakmp)#authentication pre-share
r1(config-isakmp)#encryption des
r1(config)#crypto isakmp key 0 qqq111,,, address 202.0.0.1
r1(config)#crypto ipsec transform-set for*** esp-des esp-md5-hmac
r1(cfg-crypto-trans)#exit
r1(config)#crypto ipsec profile site2site
r1(ipsec-profile)#set transform-set for***
r1(ipsec-profile)#exit
r1(config)#in tunnel 0
r1(config-if)#ip add 1.1.1.2 255.255.255.0
r1(config-if)#tunnel source s0/0
r1(config-if)#tunnel destination 202.0.0.1
r1(config-if)#tunnel protection ipsec profile site2site
r1(config-if)#no hs
r1(config)#router ospf 100
r1(config-router)#network 1.1.1.2 0.0.0.0 area 2
r1(config-router)#exit
r1#show ip route 測試學習到的路由
O IA 192.168.10.0/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0通虛擬隧道學習到的路由條目,
O IA 192.168.10.0/24 [110/11239] via 1.1.1.1, 00:00:11, Tunnel0
O IA 192.168.10.4/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0
O IA 192.168.10.8/30 [110/11175] via 1.1.1.1, 00:00:11, Tunnel0
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/11176] via 1.1.1.1, 00:00:11, Tunnel0
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback0
O IA 192.168.4.0/24 [110/11113] via 1.1.1.1, 01:43:30, Tunnel0
O IA 192.168.5.0/24 [110/11113] via 1.1.1.1, 01:43:21, Tunnel0
O IA 192.168.6.0/24 [110/11113] via 1.1.1.1, 01:42:58, Tunnel0
O IA 192.168.1.0/24 [110/11113] via 1.1.1.1, 01:43:46, Tunnel0
S* 0.0.0.0/0 [1/0] via 201.0.0.2
r1#show crypto engine connections active 顯示活躍的數據信息
ID Interface IP-Address State Algorithm Encrypt Decryp
1 Tunnel0 1.1.1.2 set HMAC_MD5+DES_56_CB 0 0
2001 Tunnel0 201.0.0.1 set DES+MD5 0 46
2002 Tunnel0 201.0.0.1 set DES+MD5 42 0
以上表明×××配置成功。
r3#show ip route
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/11112] via 1.1.1.2, 06:24:09, Tunnel0
sw1-3#ping 7.7.7.7 source 192.168.1.1 測×××配置是否成功,
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/402/584 ms
r4#ping 7.7.7.7 source 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/340/448 ms
r3#show ip nat translations 查看NAT轉換分析列表
r3#
注意:以上情況看出×××是成功,NAT轉換分析列表沒有內容顯示,那是因為ping包是經過虛擬隧道聯通的,而不經過NAT聯通。
sw1-3#ping 201.0.0.1 source 192.168.1.1 測試配置×××后,內網訪問外網的情況
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/276/400 ms
r3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.0.0.1:21 192.168.1.1:21 201.0.0.1:21 201.0.0.1:21
注意:以上測試表明×××配置成功后,和NAT 互不影響,站點內部通信過安全虛擬隧道×××,而內部網絡訪問外部互聯網經NAT轉換,達到了一種安全高效的網絡結構.
以上配置的×××還有一個特點,當兩個站點內部網絡有了新的網段時,只需將新的網段進行宣告,對端將會很快學到路由條目,從而確保兩個站點內部網絡所有網段連通性.如下所示:R1所連接的網絡在配置×××后,又新建了一個網段,現在也在讓它能和對端內部網絡安全通信.配置如下:
r1(config)#in lo1 配置
r1(config-if)#ip add 2.2.2.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#router ospf 100 宣告
r1(config-router)#network 2.2.2.2 0.0.0.0 area 2
sw1-3# show ip route 查看
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/11113] via 192.168.10.1, 06:56:05, FastEthernet0/0
sw1-3#ping 2.2.2.2 source 192.168.1.1 測試
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.254
!!!!! 成功
Success rate is 100 percent (5/5), round-trip min/avg/max = 332/388/496 ms
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
