本文共 5965 字,大约阅读时间需要 19 分钟。
1.拓扑图:
2.基本接口配置:
R1:
R1(config-if)#int f0/0
R1(config-if)#ip add 202.100.12.1 255.255.255.0R1(config-if)#no shR1(config-if)#int f0/1R1(config-if)#ip add 202.100.14.1 255.255.255.0R1(config-if)#no shR1(config-if)#int l0R1(config-if)#ip add 202.100.1.1 255.255.255.0R1(config-if)#int l1R1(config-if)#ip add 192.168.1.1 255.255.255.0R2:
R2(config)#int f0/0
R2(config-if)#ip add 202.100.12.2 255.255.255.0R2(config-if)#no shR2(config-if)#int f0/1R2(config-if)#ip add 202.100.23.2 255.255.255.0R2(config-if)#no shR4:
R4(config)#int f0/0
R4(config-if)#ip add 202.100.14.4 255.255.255.0R4(config-if)#no shR4(config-if)#int f0/1R4(config-if)#ip add 202.100.34.4 255.255.255.0R4(config-if)#no shR3:
R3(config)#int f0/0
R3(config-if)#ip add 202.100.23.3 255.255.255.0R3(config-if)#no shR3(config-if)#int f0/1R3(config-if)#ip add 202.100.34.3 255.255.255.0R3(config-if)#no shR3(config-if)#int l0R3(config-if)#ip add 202.100.3.3 255.255.255.0R3(config-if)#int l1R3(config-if)#ip add 192.168.3.3 255.255.255.03.路由配置:
由动态路由协议OSPF提供物理链路的冗余:
R1(config-if)#router ospf 10
R1(config-router)#net 202.100.12.1 0.0.0.0 a 0R1(config-router)#net 202.100.1.1 0.0.0.0 a 0R1(config-router)#net 202.100.14.1 0.0.0.0 a 0R2(config-if)#router ospf 10
R2(config-router)#net 202.100.12.2 0.0.0.0 a 0R2(config-router)#net 202.100.23.2 0.0.0.0 a 0R4(config)#router ospf 10
R4(config-router)#net 202.100.14.4 0.0.0.0 a 0R4(config-router)#net 202.100.34.4 0.0.0.0 a 0R3(config-if)#router ospf 10
R3(config-router)#net 202.100.23.3 0.0.0.0 a 0R3(config-router)#net 202.100.34.3 0.0.0.0 a 0R3(config-router)#net 202.100.3.3 0.0.0.0 a 0确认lookbackup加密点能互相ping通:
R1#ping 202.100.3.3 source 202.100.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.3.3, timeout is 2 seconds:Packet sent with a source address of 202.100.1.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/91/160 ms4.***配置:
A.第一阶段策略:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#au prR1(config-isakmp)#ha mdR1(config-isakmp)#gr 2R1(config-isakmp)#en 3desR1(config-isakmp)#exitR1(config)#crypto isakmp key 0 cisco address 202.100.3.3R3(config)#crypto isakmp policy 10
R3(config-isakmp)# encr 3desR3(config-isakmp)# hash md5R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# group 2R3(config-isakmp)#exitR3(config)#crypto isakmp key 0 cisco add 202.100.1.1B.第二阶段策略:
R1(config)#crypto ipsec transform-set transet esp-3des esp-sha-hmac
R3(config)#crypto ipsec transform-set transet esp-3des esp-sha-hmac
C.Profile关联第二阶段转换集:
R1(config)#crypto ipsec profile ipsecpro
R1(ipsec-profile)#set transform-set transetR1(ipsec-profile)#exitR3(config)#crypto ipsec profile ipsecpro
R3(ipsec-profile)#set transform-set transetR3(ipsec-profile)#exitD.静态VTI接口配置:
R1(config)#int tun 0
R1(config-if)#tun source loopback 0R1(config-if)#tunnel destination 202.100.3.3R1(config-if)#tunnel mode ipsec ipv4R1(config-if)#tunnel protection ipsec profile ipsecproR1(config-if)#ip add 172.16.1.1 255.255.255.0R3(config)#int tun 0
R3(config-if)#tunnel source loopback 0R3(config-if)#tunnel destination 202.100.1.1R3(config-if)#tun mode ipsec ipv4R3(config-if)#tunnel protection ipsec profile ipsecproR3(config-if)#ip add 172.16.1.3 255.255.255.0E.动态路由协议:
R1(config)#router eigrp 10
R1(config-router)#no auto-summary R1(config-router)#net 172.16.1.0 0.0.0.255R1(config-router)#net 192.168.1.0 0.0.0.255R3(config)#router eigrp 10
R3(config-router)#no auto-summary R3(config-router)#net 172.16.1.0 0.0.0.255R3(config-router)#net 192.168.3.0 0.0.0.2555.检验:
A.动态路由:
R1#show ip route ospf
O 202.100.23.0/24 [110/20] via 202.100.12.2, 00:31:50, FastEthernet0/0 202.100.3.0/32 is subnetted, 1 subnetsO 202.100.3.3 [110/21] via 202.100.14.4, 00:18:47, FastEthernet0/1 [110/21] via 202.100.12.2, 00:18:47, FastEthernet0/0O 202.100.34.0/24 [110/20] via 202.100.14.4, 00:19:48, FastEthernet0/1R1#show ip route eigrpD 192.168.3.0/24 [90/297372416] via 172.16.1.3, 00:02:31, Tunnel0R3#show ip route ospf
202.100.1.0/32 is subnetted, 1 subnetsO 202.100.1.1 [110/21] via 202.100.34.4, 00:18:01, FastEthernet0/1 [110/21] via 202.100.23.2, 00:18:11, FastEthernet0/0O 202.100.14.0/24 [110/20] via 202.100.34.4, 00:18:01, FastEthernet0/1O 202.100.12.0/24 [110/20] via 202.100.23.2, 00:18:11, FastEthernet0/0R3#show ip route ei R3#show ip route eigrp D 192.168.1.0/24 [90/297372416] via 172.16.1.1, 00:01:39, Tunnel0B.***状态查看:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SAdst src state conn-id slot status202.100.1.1 202.100.3.3 QM_IDLE 1001 0 ACTIVEIPv6 Crypto ISAKMP SAR1#show crypto engine connections active Crypto Engine Connections ID Interface Type Algorithm Encrypt Decrypt IP-Address 1 Fa0/1 IPsec 3DES+SHA 0 66 202.100.1.1 2 Fa0/1 IPsec 3DES+SHA 73 0 202.100.1.1 1001 Fa0/1 IKE MD5+3DES 0 0 202.100.1.1R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SAdst src state conn-id slot status202.100.1.1 202.100.3.3 QM_IDLE 1001 0 ACTIVEIPv6 Crypto ISAKMP SAR3#show crypto engine connections active Crypto Engine Connections ID Interface Type Algorithm Encrypt Decrypt IP-Address 1 Tu0 IPsec 3DES+SHA 0 90 202.100.3.3 2 Tu0 IPsec 3DES+SHA 84 0 202.100.3.3 1001 Tu0 IKE MD5+3DES 0 0 202.100.3.3R3#C.关闭一个物理接口,***连接不会终端:
R1(config)#int f0/1
R1(config-if)#shuR1(config-if)#*Mar 1 00:47:17.555: %OSPF-5-ADJCHG: Process 10, Nbr 202.100.34.4 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detachedR1(config-if)#*Mar 1 00:47:19.539: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down*Mar 1 00:47:20.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to downR1(config-if)#endR1#ping 192.168.3.3 source 192.168.1.1 Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 116/147/180 msR1#转载地址:http://smfvl.baihongyu.com/