高级网络综合实战架构案例

高级网络综合实战架构案例实验拓朴描述:
1. SW1-3,SW2-3,为内部三层交换机,负责内部通向外部和内部网段之间的数据交换转发,SW3,SW4,SW5为内部接入层交换机,负责内部网络接入,R3为连接内外到外部和区域间的路由器.形成了一个内部网络结构.(区域0)2. R4为内部区域1路由器,连接区域1内网络,R3为连接区域1到外部和内部区域0的路由器.3. R1为远程内部网络区域2中连接内部网络和外部网络的路由器,且是连接R3和区域0配置站点到站点的路由器.4. R2为互联网上路由器..连接所有内部网络.5. 接入层3台交换机“Catalyst2950-48”汇聚层2台3层交换机“CISCO3550-48” 路由器4台cisco 2600xm。

实验相关IP配置:1. Sw1-3三层交换机上面配置:Vlan2:192.168.1.1/24Vlan3:192.168.4.1/24Vlan4:192.168.5.1/24Vlan5:192.168.6.1/242. Sw2-3三层交换机面配置: Vlan2:192.168.1.2/24Vlan3:192.168.4.2/24Vlna4:192.168.5.2/24Vlan5:192.168.6.2/243. HSRP虚拟地址: Vlan2:192.168.1.254.Vlan3:192.168.4.254.Vlan4:192.168.5.254.Vlan5:192.168.6.254. 4. 两端虚拟隧道地址: R3:1.1.1.1/24R1:1.1.1.2/24
5．NAT采用端口复用地址转换。“S0/1”

实验相关协议简介：
1． VTP协议：VLAN中继协议（VTP，VLAN TRUNKING PROTOCOL）是CISCO专 用协议，大多数交换机都支持该协议．VTP负责在VTP域内同步VLAN信息，这样就不必在每个交换上配置相同的VLAN信息．
2． STP协议：STP（Spanning Tree Protocol）是生成树协议的英文缩写。该协议可应用于环路网络，通过一定的算法实现路径冗余，同时将环路网络修剪成无环路的树型网络，从而避免报文在环路网络中的增生和无限循环。
3． OSPF协议：OSPF(Open Shortest Path First)是一个内部网关协议(Interior Gateway Protocol,简称IGP)，用于在单一自治系统(autonomous system,AS)内决策路由。与RIP相对，OSPF是链路状态路由协议，而RIP是距离向量路由协议。（外部网关协议为：Exterior Gateway,Protocols EGP）
4． HSRP协议：HSRP：热备份路由器协议（HSRP：Hot Standby Router Protocol，热备份路由器协议（HSRP）的设计目标是支持特定情况下 IP 流量失败转移不会引起混乱、并允许主机使用单路由器，以及即使在实际第一跳路由器使用失败的情形下仍能维护路由器间的连通性。换句话说，当源主机不能动态知道第一跳路由器的 IP 地址时，HSRP 协议能够保护第一跳路由器不出故障。该协议中含有多种路由器，对应一个虚拟路由器。HSRP 协议只支持一个路由器代表虚拟路由器实现数据包转发过程。终端主机将它们各自的数据包转发到该虚拟路由器上。负责转发数据包的路由器称之为主动路由器（Active Router）。一旦主动路由器出现故障，HSRP 将激活备份路由器（Standby Routers）取代主动路由器。HSRP 协议提供了一种决定使用主动路由器还是备份路由器的机制，并指定一个虚拟的 IP 地址作为网络系统的缺省网关地址。如果主动路由器出现故障，备份路由器（Standby Routers）承接主动路由器的所有任务，并且不会导致主机连通中断现象，HSRP 运行在 UDP 上，采用端口号1985。路由器转发协议数据包的源地址使用的是实际 IP 地址，而并非虚拟地址，正是基于这一点，HSRP 路由器间能相互识别.

5． NAT协议： NAT英文全称是“Network Address Translation”，中文意思是“网络地址转换”，它是一个IETF(Internet Engineering Task Force, Internet工程任务组)标准，允许一个整体机构以一个公用IP（Internet Protocol）地址出现在Internet上。顾名思义，它是一种把内部私有网络地址（IP地址）翻译成合法网络IP地址的技术。
6． 协议：的英文全称是“Virtual Private Network”，翻译过来就是“虚拟专用网络”。顾名思义，虚拟专用网络我们可以把它理解成是虚拟出来的企业内部专线，虚拟专用网（）被定义为通过一个公用网络（通常是因特网）建立一个临时的、安全的连接，是一条穿过混乱的公用网络的安全、稳定的隧道。

实验目标:1. 通过网络拓朴结构配置VTP协议,STP生成树协议使内部网络具有高效而稳定的性能,从而对链路形成冗余功能,2. 在不同区域中启用OSPF链路状态路由协议,使网络互通.3. 通过配置HSRP热备份路由协议,确保边缘设备出现故障时,用户可正常工作.4. 在R3上面配置NAT端口地址复用转换是内部指定网络可以访问外部网络.5. 在R1和R3上面配置站点TO站点 ,使两个站点内部网络可以安全互通.6. 通过以上的配置形成一个高效,稳定的,安全的,且有冗余功能的网络结构.

实验步骤详解：配置前相关设置：（如要设备是新的则不用配置）
#Clear line 1—8 清除指定线路（8脚线）#erase statup-config 清除配置。#reload 重启设备，#show flash: 查看之前的vlans配置数据库。#delete flash:vlan.dat 删除之前的vlan配置数据库。

1．配置VTP：sw1-3(vlan)#vtp domain testChanging VTP domain name from NULL to testsw1-3(vlan)#vtp serverDevice mode already VTP SERVER.sw1-3(vlan)#vtp password 111111Setting device VLAN database password to 111111.sw1-3(vlan)#vtp v2-mode V2 mode enabled.sw1-3(vlan)#vtp pruning Pruning switched ON
sw2-3(vlan)#vtp domain testChanging VTP domain name from NULL to testsw2-3(vlan)#vtp domain serverChanging VTP domain name from test to serversw2-3(vlan)#vtp password 111111Setting device VLAN database password to 111111.sw2-3(vlan)#vtp v2-mode V2 mode enabled.sw2-3(vlan)#vtp pruning Pruning switched ON
sw3(vlan)#vtp domain testChanging VTP domain name from NULL to testsw3(vlan)#vtp clientSetting device to VTP CLIENT mode.sw3(vlan)#vtp password 111111Setting device VLAN database password to 111111.sw4(vlan)#vtp domain testChanging VTP domain name from NULL to testsw4(vlan)#vtp client Setting device to VTP CLIENT mode.sw4(vlan)#vtp password 111111Setting device VLAN database password to 111111.sw4(vlan)#exit
sw5(vlan)#vtp domain testChanging VTP domain name from NULL to testsw5(vlan)#vtp client Setting device to VTP CLIENT mode.sw5(vlan)#vtp password 111111Setting device VLAN database password to 111111.

sw1-3#show vtp status VTP Version : 2Configuration Revision : 5Maximum VLANs supported locally : 256Number of existing VLANs : 9VTP Operating Mode : ServerVTP Domain Name : testVTP Pruning Mode : EnabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0x2B 0xF6 0xD8 0xE3 0x28 0x13 0x8F 0xC4 Configuration last modified by 0.0.0.0 at 3-1-02 00:15:38Local updater ID is 192.168.1.1 on interface Vl2 (lowest numbered VLAN interface found)2．TRUNK配置：sw1-3(config)#in range f0/14 – 15 sw1-3(config-if-range)#switchport mode trunk sw1-3(config-if-range)#no shsw1-3(config)#in range f0/1 – 3sw1-3(config-if-range)#switchport mode trunk sw1-3(config-if-range)#no sh
sw2-3(config)#in range f0/14 – 15sw2-3(config-if-range)#switchport mode trunk sw2-3(config-if-range)#no shsw2-3(config)#in range f0/1 – 3sw2-3(config-if-range)#switchport mode trunk sw2-3(config-if-range)#no sh
sw3(config)#in range f0/1 – 2sw3(config-if-range)#switchport mode trunk sw3(config-if-range)#no sh
sw4(config)#in range f0/1 – 2sw4(config-if-range)#switchport mode trunk sw4(config-if-range)#no sh
sw5(config)#in range f0/1 – 2sw5(config-if-range)#switchport mode trunk sw5(config-if-range)#no sh

sw1-3#show interfaces trunk 测试
Port Mode Encapsulation Status Native vlanFa0/1 on 802.1q trunking 1Fa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/14 on 802.1q trunking 1Fa0/15 on 802.1q trunking 13．VLAN 配置：
sw1-3#vlan dasw1-3(vlan)#vlan 2 name v2VLAN 2 added:Name: v2sw1-3(vlan)#applyAPPLY completed.sw1-3(vlan)#vlan 3 name v3VLAN 3 added:Name: v3sw1-3(vlan)#applyAPPLY completed.sw1-3(vlan)#vlan 4 name v4VLAN 4 added:Name: v4sw1-3(vlan)#applyAPPLY completed.sw1-3(vlan)#vlan 5 name v5VLAN 5 added:Name: v5sw1-3(vlan)#applyAPPLY completed.
sw1-3#show vlan-switch
VLAN Name Status Ports—- ——————————– ——— ——————————-1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6Fa0/7, Fa0/8, Fa0/9, Fa0/10Fa0/11, Fa0/12, Fa0/132 v2 active 3 v3 active 4 v4 active 5 v5 active 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active

sw2-3#show vlan-switch
VLAN Name Status Ports—- ——————————– ——— ——————————-1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6Fa0/7, Fa0/8, Fa0/9, Fa0/10Fa0/11, Fa0/12, Fa0/132 v2 active 3 v3 active 4 v4 active 5 v5 active 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active
sw3#show vlan-switch 测试客户端是否学到VLAN
VLAN Name Status Ports—- ——————————– ——— ——————————-1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5Fa0/6, Fa0/7, Fa0/8, Fa0/9Fa0/10, Fa0/11, Fa0/12, Fa0/13Fa0/14, Fa0/152 v2 active 3 v3 active 4 v4 active 5 v5 active 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active
sw4#show vlan-switch
VLAN Name Status Ports—- ——————————– ——— ——————————-1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5Fa0/6, Fa0/7, Fa0/8, Fa0/9Fa0/10, Fa0/11, Fa0/12, Fa0/13Fa0/14, Fa0/152 v2 active 3 v3 active 4 v4 active 5 v5 active 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active
w5#show vlan-switch
VLAN Name Status Ports—- ——————————– ——— ——————————-1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5Fa0/6, Fa0/7, Fa0/8, Fa0/9Fa0/10, Fa0/11, Fa0/12, Fa0/13Fa0/14, Fa0/152 v2 active 3 v3 active 4 v4 active 5 v5 active 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active 4．开启以太网通道：w1-3(config)#in range f0/14 – 15sw1-3(config-if-range)#channel-group 1 mode onsw1-3#show ip in brPort-channel1 unassigned YES unset up up
sw2-3(config)#in range f0/14 – 15sw2-3(config-if-range)#channel-group 1 mode on
sw2-3#show ip in brInterface IP-Address OK? Method Status Port-channel1 unassigned YES unset up up

5．配置STP生成协议：
将SWITCH1配置为VLAN3、VLAN5的根桥，VLAN2、VLAN4的次根桥将SWITCH2配置为VLAN2、VLAN4的根桥，VLAN3、VLAN5的次根桥
sw1-3(config)#spanning-tree vlan 3 root primary sw1-3(config)#spanning-tree vlan 5 root primary sw1-3(config)#spanning-tree vlan 2 root secondary sw1-3(config)#spanning-tree vlan 4 root secondary
sw2-3(config)#spanning-tree vlan 2 root primary sw2-3(config)#spanning-tree vlan 4 root primary sw2-3(config)#spanning-tree vlan 5 root secondary sw2-3(config)#spanning-tree vlan 3 root secondary
6.验证STP配置

Sw3(config)#show spanning-tree br
VLAN2
Name Port ID Prio Cost Sts Cost Bridge ID Port ID——————– ——- —- —– — —– ——————– ——-FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0001 128.2 FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0001 128.2
VLAN3
Name Port ID Prio Cost Sts Cost Bridge ID Port ID——————– ——- —- —– — —– ——————– ——-FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0002 128.2 FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0002 128.2
VLAN4
Name Port ID Prio Cost Sts Cost Bridge ID Port ID——————– ——- —- —– — —– ——————– ——-FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0003 128.2 FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0003 128.2
VLAN5
Name Port ID Prio Cost Sts Cost Bridge ID Port ID——————– ——- —- —– — —– ——————– ——-FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0004 12免费云主机域名8.2 FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0004 128.2

7．配置路由接口：sw1-3(config)#in f0/0sw1-3(config-if)#no switchport 关闭接换功能 sw1-3(config-if)#ip add 192.168.10.2 255.255.255.252sw1-3(config-if)#no sh
sw2-3(config)#in f0/0sw2-3(config-if)#no switchport sw2-3(config-if)#ip add 192.168.10.6 255.255.255.252sw2-3(config-if)#no sh
8．路由相关IP配置：
r3#show ip in brInterface IP-Address OK? Method Status ProtocolSerial0/0 192.168.10.9 YES manual up up Serial0/1 202.0.0.1 YES manual up up Serial0/2 unassigned YES unset administratively down down Serial0/3 unassigned YES unset administratively down down FastEthernet1/0 192.168.10.1 YES manual up up FastEthernet2/0 192.168.10.5 YES manual up up
r4#show ip in br Interface IP-Address OK? Method Status ProtocolSerial0/0 192.168.10.10 YES manual up up Serial0/1 unassigned YES unset administratively down down Serial0/2 unassigned YES unset administratively down down Serial0/3 unassigned YES unset administratively down down Loopback0 6.6.6.6 YES manual up up
r2#show ip in br Interface IP-Address OK? Method Status ProtocolSerial0/0 201.0.0.1 YES manual up up Serial0/1 202.0.0.2 YES manual up up Serial0/2 unassigned YES unset administratively down down Serial0/3 unassigned YES unset administratively down down
r1#show ip in br Interface IP-Address OK? Method Status ProtocolSerial0/0 201.0.0.1 YES manual up up Serial0/1 unassigned YES unset administratively down down Serial0/2 unassigned YES unset administratively down down Serial0/3 unassigned YES unset administratively down down Loopback0 7.7.7.7 YES manual up up

sw1-3#show ip in br ProtocolVlan2 192.168.1.1 YES manual up up Vlan3 192.168.4.1 YES manual up up Vlan4 192.168.5.1 YES manual up up Vlan5 192.168.6.1 YES manual up up sw1-3#
sw2-3#show ip in brProtocolVlan2 192.168.1.2 YES manual up up Vlan3 192.168.4.2 YES manual up up Vlan4 192.168.5.2 YES manual up up Vlan5 192.168.6.2 YES manual up up

9．OSPF配置
sw1-3(config)#ip routing 启动路由功能
sw1-3(config)#router ospf 100sw1-3(config-router)#network 192.168.10.2 0.0.0.0 area 0sw1-3(config-router)#network 192.168.1.1 0.0.0.0 area 0sw1-3(config-router)#network 192.168.4.1 0.0.0.0 area 0sw1-3(config-router)#network 192.168.5.1 0.0.0.0 area 0sw1-3(config-router)#network 192.168.6.1 0.0.0.0 area 0
sw2-3(config)#router ospf 100sw2-3(config-router)#network 192.168.10.6 0.0.0.0 area 0sw2-3(config-router)#network 192.168.1.2 0.0.0.0 area 0sw2-3(config-router)#network 192.168.4.2 0.0.0.0 area 0sw2-3(config-router)#network 192.168.5.2 0.0.0.0 area 0sw2-3(config-router)#network 192.168.6.2 0.0.0.0 area 0

sw1-3#show ip route 测试
O 192.168.10.4/30 [110/2] via 192.168.6.2, 00:39:43, Vlan5[110/2] via 192.168.5.2, 00:39:43, Vlan4[110/2] via 192.168.4.2, 00:39:43, Vlan3[110/2] via 192.168.1.2, 00:39:43, Vlan2sw2-3#show ip route
O 192.168.10.0 [110/2] via 192.168.6.1, 00:00:35, Vlan5[110/2] via 192.168.5.1, 00:00:35, Vlan4[110/2] via 192.168.4.1, 00:00:35, Vlan3[110/2] via 192.168.1.1, 00:00:35, Vlan2
r3(config)#router ospf 100r3(config-router)#network 192.168.10.1 0.0.0.0 area 0r3(config-router)#network 192.168.10.5 0.0.0.0 area 0r3(config-router)#network 192.168.10.9 0.0.0.0 area 1
r3(config)#ip route 0.0.0.0 0.0.0.0 202.0.0.2 配置静态缺省路由，是之能够访问外部网络。
r3(config)#router ospf 100r3(config-router)#default-information originate 向连接在自己上面的内部末梢网络路由器宣告一个出向外部的缺省路由（此命令用于末梢网络）
r4(config)#router ospf 100 r4(config-router)#network 192.168.10.10 0.0.0.0 area 1r4(config-router)#network 6.6.6.6 0.0.0.0 area 1

测试（default-intormation originate 命令的结果）
r4#show ip route O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0 去向外部的缺省路由
sw1-3#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.1, 00:00:28, FastEthernet0/0 去向外部的缺省路由
sw2-3#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.10.5, 00:03:01, FastEthernet0/0 去向外部的缺省路由
r1(config)#router ospf 100r1(config-router)#network 7.7.7.7 0.0.0.0 area 2
r1(config)#ip route 0.0.0.0 0.0.0.0 201.0.0.2
r3#show ip route 测试6.0.0.0/32 is subnetted, 1 subnetsO 6.6.6.6 [110/65] via 192.168.10.10, 11:19:33, Serial0/0O 192.168.4.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0O 192.168.5.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0O 192.168.6.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0O 192.168.1.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0S* 0.0.0.0/0 [1/0] via 202.0.0.2
r4#show ip route
192.168.10.0/24 is variably subnetted, 4 subnets, 2 masksO IA 192.168.10.0/30 [110/65] via 192.168.10.9, 00:48:10, Serial0/0O IA 192.168.10.4/30 [110/65] via 192.168.10.9, 13:45:10, Serial0/0O 192.168.10.8/30 [110/128] via 192.168.10.9, 13:45:10, Serial0/07.0.0.0/32 is subnetted, 1 subnetsO IA 7.7.7.7 [110/11176] via 192.168.10.9, 11:22:27, Serial0/0O IA 192.168.4.0/24 [110/66] via 192.168.10.9, 01:31:50, Serial0/0O IA 192.168.5.0/24 [110/66] via 192.168.10.9, 01:31:40, Serial0/0O IA 192.168.6.0/24 [110/66] via 192.168.10.9, 01:31:17, Serial0/0O IA 192.168.1.0/24 [110/66] via 192.168.10.9, 01:32:05, Serial0/0O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0
r2#show ip route
C 201.0.0.0/24 is directly connected, Serial0/0C 202.0.0.0/24 is directly connected, Serial0/1
r1#show ip route
C 201.0.0.0/24 is directly connected, Serial0/07.0.0.0/24 is subnetted, 1 subnetsC 7.7.7.0 is directly connected, Loopback0S* 0.0.0.0/0 [1/0] via 201.0.0.2
sw1-3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1 150 防止路由条目斗动，多添加一条缺省路目条目，当刚才那条路由条目故障时，则用这条。OK状态下是看不到那条目的。
sw2-3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.5 150 防止路由条目斗动
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.9 150 防止路由条目斗动
10.HSRP热备份路由协议配置:
sw1-3(config)#in vlan 2sw1-3(config-if)#no ip redirects 关闭端口重定向。sw1-3(config-if)#standby 50 ip 192.168.1.254 配置 HSRP 成员sw1-3(config-if)#standby 50 priority 150 优先级为 150sw1-3(config-if)#standby 50 preempt 配置占先权
sw1-3(config)#in vlan 3sw1-3(config-if)#standby 47 ip 192.168.4.254 配置 HSRP 成员sw1-3(config-if)#standby47 priority 200 优先级为 200sw1-3(config-if)#no ip redirects 关闭端口重定向。sw1-3(config-if)#standby 47 preempt 配置占先权sw1-3(config-if)#standby 47 track f0/0 100 配置端口跟踪

sw1-3(config)#in vlan 4ssw1-3(config-if)#standby 51 ip 192.168.5.254sw1-3(config-if)#standby 51 priority 150sw1-3(config-if)#standby 51 preempt sw1-3(config-if)#no ip redirects
sw1-3(config)#in vlan 5sw1-3(config-if)#no ip redirects sw1-3(config-if)#standby 48 ip 192.168.6.254sw1-3(config-if)#standby48 priority 200sw1-3(config-if)#standby48 preempt sw1-3(config-if)#standby 48 track f0/0 100

sw2-3(config)#in vlan 3sw2-3(config-if)#standby 47ip 192.168.4.254sw2-3(config-if)#no ip redirects sw2-3(config-if)#standby 47 priority 150sw2-3(config-if)#standby 47 preempt
sw2-3(config)#in vlan 2sw2-3(config-if)#no ip redirects sw2-3(config-if)#standby 50 ip 192.168.1.254sw2-3(config-if)#standby 50 priority 200sw2-3(config-if)#standby50 preempt sw1-3(config-if)#standby 50 track f0/0 100

sw2-3(config)#in vlan 4sw2-3(config-if)#no ip redirects sw2-3(config-if)#standby 51 ip 192.168.5.254sw2-3(config-if)#standb 51 priority 200sw2-3(config-if)#standby 51 preempt sw1-3(config-if)#standby 51 track f0/0 100

sw2-3(config)#in vlan 5sw2-3(config-if)#no ip redirects sw2-3(config-if)#standby 48ip 192.168.6.254sw2-3(config-if)#standb 48 priority 150sw2-3(config-if)#standb 48 preempt
sw1-3#debug standby 查看配置结果 (方法1)
sw1-3# show standby br 查看配置结果（方法2）Interface Grp Prio P State Active Standby Virtual IP Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254 Vl3 47 200 P Active local 192.168.4.2 192.168.4.254 Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254 Vl5 48 200 P Active local 192.168.6.2 192.168.6.254

sw2-3#show standby br
Interface Grp Prio P State Active Standby Virtual IP Vl2 50 200 P Active local 192.168.1.1 192.168.1.254 Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254 Vl4 51 200 P Active local 192.168.5.1 192.168.5.254 Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254

sw1-3(config)#in f0/0sw1-3(config-if)#sh 关闭跟踪接口.测试主备间的转换

sw1-3(config)#do show stan br
Interface Grp Prio P State Active Standby Virtual IP Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254 Vl3 47 100 P Standby 192.168.4.2 local 192.168.4.254 Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254 Vl5 48 100 P Standby 192.168.6.2 local 192.168.6.254
sw2-3#show standby br|Interface Grp Prio P State Active Standby Virtual IP Vl2 50 200 P Active local 192.168.1.1 192.168.1.254 Vl3 47 150 P Active local 192.168.4.1 192.168.4.254 Vl4 51 200 P Active local 192.168.5.1 192.168.5.254 Vl5 48 150 P Active local 192.168.6.1 192.168.6.254

sw1-3(config)#in f0/0sw1-3(config-if)#no sh 二次启动跟踪端口,

sw1-3# show standby br 查看配置结果Interface Grp Prio P State Active Standby Virtual IP Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254 Vl3 47 200 P Active local 192.168.4.2 192.168.4.254 Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254 Vl5 48 200 P Active local 192.168.6.2 192.168.6.254

sw2-3#show standby br
Interface Grp Prio P State Active Standby Virtual IP Vl2 50 200 P Active local 192.168.1.1 192.168.1.254 Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254 Vl4 51 200 P Active local 192.168.5.1 192.168.5.254 Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254

测试成功:
12．NAT配置（端口复用）
方法1：r3(config)#access-list 1 permit 192.168.0.0 0.0.255.255 设置感兴趣的流量r3(config)#route-map fornat permit 10 建路由策略优先级10r3(config-route-map)#match ip add 1 抓取列表1的流量。r3(config)#ip nat inside source route-map fornat interface s0/1 overload NAT端口复用转换
方法2：r3(config)#access-list 1 permit 192.168.0.0 0.0.255.255r3(config)#ip nat inside source list 1 interface s0/1 overload
r3(config)#in s0/1r3(config-if)#ip nat outside r3(config)#in s0/0r3(config-if)#ip nat inside r3(config)#in f1/0r3(config-if)#ip nat inside r3(config)#in f2/0r3(config-if)#ip nat inside

sw2-3#ping 201.0.0.1 source 192.168.1.2 测试NAT配置结果Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.2 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 108/193/292 ms
r3#show ip nat translations NAT转换分析Pro Inside global Inside local Outside local Outside globalicmp 202.0.0.1:4 192.168.1.2:4 201.0.0.1:4 201.0.0.1:4

sw1-3#ping 201.0.0.1 source 192.168.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 156/200/312 ms
r3#show ip nat translations Pro Inside global Inside local Outside local Outside globalicmp 202.0.0.1:19 192.168.1.1:19 201.0.0.1:19 201.0.0.1:19

r4#ping 201.0.0.1 source 192.168.10.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.10.10 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 152/208/284 ms
r3#show ip nat translations Pro Inside global Inside local Outside local Outside globalicmp 202.0.0.1:17 192.168.10.10:17 201.0.0.1:17 201.0.0.1:17
13．站点到站点配置：
r3(config)#crypto isakmp enable 启动IKE协商r3(config)#crypto isakmp policy 10 建立编号为”10″的IKE协商策略r3(config-isakmp)#hash md5 配置密码认证的方法为”md5″r3(config-isakmp)#authentication pre-share 配置路由器使用预先共享的密钥.r3(config-isakmp)#encryption des 配置加密所使用的算法.”DES
r3(config)#crypto isakmp key 0 qqq111,,, address 201.0.0.1 配置安全连接对端的要使的密码和对端IP地址。r3(config)#crypto ipsec transform-set for*** esp-des esp-md5-hmac （配置IPSec 将同时使用AH和ESP协议,使用传输模式名称为”for***”,其中AH的验证采用MD5的算法,ESP加密采用DES的算法.(AH只能验证,不能加密,而ESP能加密,还能验证,但功能,比AH差一些.)r3(cfg-crypto-trans)#exit
r3(config)#crypto ipsec profile site2site 指定sitetosit用上面所配置密码钥匙扣协商r3(ipsec-profile)#set transform-set for*** 指定使用传输模式r3(ipsec-profile)#exit
r3(config)#in tunnel 0 进入虚拟隧道 0r3(config-if)#ip add 1.1.1.1 255.255.255.0 配置IP地址。r3(config-if)#tunnel source s0/1 虚拟隧道原接口r3(config-if)#tunnel destination 201.0.0.1 虚拟隧道目标地址。r3(config-if)#tunnel protection ipsec profile site2site 此隧道应用于“site2site”r3(config-if)#no sh
r3(config)#router ospf 100 宣告此地址。r3(config-router)# network 1.1.1.1 0.0.0.0 area 2
r3#show ip in brTunnel0 1.1.1.1 YES manual up up

r1(config)#crypto isakmp enable r1(config)#crypto isakmp policy 10r1(config-isakmp)#hash md5r1(config-isakmp)#authentication pre-share r1(config-isakmp)#encryption des
r1(config)#crypto isakmp key 0 qqq111,,, address 202.0.0.1r1(config)#crypto ipsec transform-set for*** esp-des esp-md5-hmac r1(cfg-crypto-trans)#exit
r1(config)#crypto ipsec profile site2siter1(ipsec-profile)#set transform-set for***r1(ipsec-profile)#exit
r1(config)#in tunnel 0r1(config-if)#ip add 1.1.1.2 255.255.255.0r1(config-if)#tunnel source s0/0r1(config-if)#tunnel destination 202.0.0.1r1(config-if)#tunnel protection ipsec profile site2siter1(config-if)#no hs
r1(config)#router ospf 100r1(config-router)#network 1.1.1.2 0.0.0.0 area 2r1(config-router)#exit
r1#show ip route 测试学习到的路由O IA 192.168.10.0/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0通虚拟隧道学习到的路由条目，O IA 192.168.10.0/24 [110/11239] via 1.1.1.1, 00:00:11, Tunnel0O IA 192.168.10.4/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0O IA 192.168.10.8/30 [110/11175] via 1.1.1.1, 00:00:11, Tunnel06.0.0.0/32 is subnetted, 1 subnetsO IA 6.6.6.6 [110/11176] via 1.1.1.1, 00:00:11, Tunnel07.0.0.0/24 is subnetted, 1 subnetsC 7.7.7.0 is directly connected, Loopback0O IA 192.168.4.0/24 [110/11113] via 1.1.1.1, 01:43:30, Tunnel0O IA 192.168.5.0/24 [110/11113] via 1.1.1.1, 01:43:21, Tunnel0O IA 192.168.6.0/24 [110/11113] via 1.1.1.1, 01:42:58, Tunnel0O IA 192.168.1.0/24 [110/11113] via 1.1.1.1, 01:43:46, Tunnel0S* 0.0.0.0/0 [1/0] via 201.0.0.2

r1#show crypto engine connections active 显示活跃的数据信息
ID Interface IP-Address State Algorithm Encrypt Decryp 1 Tunnel0 1.1.1.2 set HMAC_MD5+DES_56_CB 0 02001 Tunnel0 201.0.0.1 set DES+MD5 0 462002 Tunnel0 201.0.0.1 set DES+MD5 42 0
以上表明配置成功。
r3#show ip route
7.0.0.0/32 is subnetted, 1 subnetsO 7.7.7.7 [110/11112] via 1.1.1.2, 06:24:09, Tunnel0
sw1-3#ping 7.7.7.7 source 192.168.1.1 测配置是否成功，
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 212/402/584 ms
r4#ping 7.7.7.7 source 6.6.6.6
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:Packet sent with a source address of 6.6.6.6 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 208/340/448 ms

r3#show ip nat translations 查看NAT转换分析列表
r3#
注意：以上情况看出是成功，NAT转换分析列表没有内容显示，那是因为ping包是经过虚拟隧道联通的，而不经过NAT联通。
sw1-3#ping 201.0.0.1 source 192.168.1.1 测试配置后，内网访问外网的情况Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 104/276/400 ms
r3#show ip nat translations Pro Inside global Inside local Outside local Outside globalicmp 202.0.0.1:21 192.168.1.1:21 201.0.0.1:21 201.0.0.1:21
注意：以上测试表明配置成功后,和NAT 互不影响,站点内部通信过安全虚拟隧道,而内部网络访问外部互联网经NAT转换,达到了一种安全高效的网络结构.
以上配置的还有一个特点,当两个站点内部网络有了新的网段时,只需将新的网段进行宣告,对端将会很快学到路由条目,从而确保两个站点内部网络所有网段连通性.如下所示:R1所连接的网络在配置后,又新建了一个网段,现在也在让它能和对端内部网络安全通信.配置如下:
r1(config)#in lo1 配置r1(config-if)#ip add 2.2.2.2 255.255.255.0r1(config-if)#no shr1(config-if)#exit
r1(config)#router ospf 100 宣告r1(config-router)#network 2.2.2.2 0.0.0.0 area 2
sw1-3# show ip route 查看 2.0.0.0/32 is subnetted, 1 subnetsO IA 2.2.2.2 [110/11113] via 192.168.10.1, 06:56:05, FastEthernet0/0
sw1-3#ping 2.2.2.2 source 192.168.1.1 测试
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:Packet sent with a source address of 192.168.2.254 !!!!! 成功Success rate is 100 percent (5/5), round-trip min/avg/max = 332/388/496 ms

相关推荐: 利用掌握的路由知识解决现实环境中的问题 — 之（非对称路

上一篇中”利用掌握的路由知识解决现实环境中的问题”提出的解决方法并没有解释清楚问题的症结！现在补上！更改之处：在本次实验当中（M0n0wall 用 Pfsense替代）遇到问题：本次遇到的问题与之前并没有不同 — 从SZBG ping/tracert HKB…