资源描述
实验1 配置GRE VPN
实验任务一: GRE VPN基本配置
步骤一: 搭建实验环境
在SWA上配置VLAN2,将接口E1/0/2加入VLAN2:
[SWA]vlan 2
[SWA-vlan2]port Ethernet 1/0/2
步骤二: 检测公网连通性
查看SWA的路由表和端口状态,确认其工作正常。
[SWA]display ip interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Description
Vlan-interface1 up up 1.1.1.2 Vlan-inte...
Vlan-interface2 up up 2.2.2.2 Vlan-inte...
[SWA]display ip routing-table
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan1
1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.0/24 Direct 0 0 2.2.2.2 Vlan2
2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
也可以使用display interface命令。
在RTA和RTB上配置公网接口互通所需的静态路由。
[RTA]interface GigabitEthernet0/0
[RTA-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0
[RTA-GigabitEthernet0/0]interface GigabitEthernet0/1
[RTA-GigabitEthernet0/1]ip address 1.1.1.1 255.255.255.0
[RTA-GigabitEthernet0/1]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
[RTB]interface GigabitEthernet0/0
[RTB-GigabitEthernet0/0]ip address 192.168.2.1 255.255.255.0
[RTB-GigabitEthernet0/0]interface GigabitEthernet0/1
[RTB-GigabitEthernet0/1]ip address 2.2.2.1 255.255.255.0
[RTB-GigabitEthernet0/1]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2
步骤三: 配置GRE隧道接口
[RTA] interface Tunnel0
[RTA-Tunnel0] ip address 192.168.3.1 255.255.255.252
[RTA-Tunnel0] source 1.1.1.1
[RTA-Tunnel0] destination 2.2.2.1
[RTB] interface Tunnel0
[RTB-Tunnel0] ip address 192.168.3.2 255.255.255.252
[RTB-Tunnel0] source 2.2.2.1
[RTB-Tunnel0] destination 1.1.1.1
步骤四: 为私网配置静态路由
[RTA] ip route-static 192.168.2.0 255.255.255.0 Tunnel0
[RTB] ip route-static 192.168.1.0 255.255.255.0 Tunnel0
配置时也可以用下一跳地址。
步骤五: 检验隧道工作状况
查看RTA与RTB的路由表,可见公网、私网路由均存在于路由表中:
[RTB]display ip routing-table
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 Static 60 0 2.2.2.2 GE0/1
2.2.2.0/24 Direct 0 0 2.2.2.1 GE0/1
2.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.0/24 Static 60 0 192.168.3.2 Tun0
192.168.2.0/24 Direct 0 0 192.168.2.1 GE0/0
192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0
192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0
查看RTA和RTB的隧道接口状态,可见其使用GRE封装,状态为UP:
[RTB]display interface Tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1476
Internet Address is 192.168.3.2/30 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 2.2.2.1, destination 1.1.1.1
Tunnel keepalive disable
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last 300 seconds input: 15 bytes/sec, 0 packets/sec
Last 300 seconds output: 21 bytes/sec, 0 packets/sec
133 packets input, 5701 bytes
0 input error
124 packets output, 7469 bytes
0 output error
在RTA上打开GRE协议调试开关用debugging命令检验路由器实际收发的报文,说明其地址已经改变。
<RTA>terminal monitor
<RTA>terminal debugging
<RTA>debugging gre packet
在PCA上对RTB运行ping命令,但只发送一个ICMP包:
C:\Documents and Settings\User>ping -n 1 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time<1ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
观察RTA上的输出信息:
<RTA>
*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:
Tunnel0 packet:After encapsulation,
Outgoing packet header 1.1.1.1->2.2.2.1(length = 84)
*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Output: Gre packet has been fast-switc
hed successfully, interface index is 0x2f0000.
可见RTA从Tunnel0接口发出了一个包,源地址为1.1.1.1,目的地址为2.2.2.1。因为发送的包已经被GRE封装后在公网发送了。
步骤六: 清除静态路由
用undo ip route-static命令。
步骤七: 为公网配置动态路由
[RTA]ospf 1
[RTA-ospf-1]area 0.0.0.0
[RTA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255
[RTB]ospf 1
[RTB-ospf-1]area 0.0.0.0
[RTB-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255
[SWA]ospf 1
[SWA-ospf-1]area 0.0.0.0
[SWA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255
[SWA-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255
步骤八: 为私网配置动态路由
[RTA]rip 1
[RTA-rip-1]version 2
[RTA-rip-1]network 192.168.1.0
[RTA-rip-1]network 192.168.3.0
[RTB]rip
[RTB-rip-1]version 2
[RTB-rip-1]network 192.168.2.0
[RTB-rip-1]network 192.168.3.0
步骤九: 再次检验隧道工作状况
查看RTA与RTB的路由表:
<RTB>display ip routing-table
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 OSPF 10 2 2.2.2.2 GE0/1
2.2.2.0/24 Direct 0 0 2.2.2.1 GE0/1
2.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.0/24 RIP 100 1 192.168.3.1 Tun0
192.168.2.0/24 Direct 0 0 192.168.2.1 GE0/0
192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0
192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0
转入下一实验任务。
实验任务二: GRE VPN隧道验证
步骤一: 单方配置隧道验证
首先在RTA上单方启动隧道验证:
[RTA-Tunnel0]gre key 1234
步骤二: 检验隧道连通性
用ping命令验证PCA与PCB之间的连通性。由于仅单方配置了隧道验证,此时应该无法连通。
C:\Documents and Settings\User>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
步骤三: 配置错误的隧道验证
在RTB上也启动隧道验证,但验证值配置与RTA不同:
[RTB-Tunnel0]gre key 12345
步骤四: 检验隧道连通性
用ping命令验证PCA与PCB之间的连通性。由于配置的隧道验证值错误,此时应该无法连通。
C:\Documents and Settings\User>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
步骤五: 正确配置隧道验证
在RTB上配置与RTA相同的验证值:
[RTB-Tunnel0]gre key 1234
步骤六: 检验隧道连通性
用ping命令验证PCA与PCB之间的连通性。由于配置的隧道验证正确,此时应该可以连通。
C:\Documents and Settings\User>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=1ms TTL=254
Reply from 192.168.2.1: bytes=32 time<1ms TTL=254
Reply from 192.168.2.1: bytes=32 time<1ms TTL=254
Reply from 192.168.2.1: bytes=32 time<1ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
注意:
由于RTA和RTB上配置了RIP路由,如果隧道验证值长时间不匹配,RIP会删除来自对方的私网路由。在这种情况下,配置了正确的隧道验证值后需要等待RIP重新学习路由。
实验任务三: GRE VPN隧道Keepalive
步骤一: 恢复静态路由配置
[RTA]undo rip
Warning : Undo RIP process? [Y/N]:y
[RTA]undo ospf
Warning : Undo OSPF process? [Y/N]:y
[RTA]ip route-static 192.168.2.0 255.255.255.0 Tunnel0
[RTA]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
[RTB]undo rip
Warning : Undo RIP process? [Y/N]:y
[RTB]undo ospf
Warning : Undo OSPF process? [Y/N]:y
[RTB]ip route-static 192.168.1.0 255.255.255.0 Tunnel0
[RTB]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2
步骤二: 模拟网络故障
[SWA-Vlan-interface2]shutdown
步骤三: 检查RTA上的隧道接口状态
在RTA上检查隧道接口状态,发现隧道接口状态仍然正常:
[RTA]display interface Tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1472
Internet Address is 192.168.3.1/30 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 1.1.1.1, destination 2.2.2.1
Tunnel keepalive disable
Tunnel protocol/transport GRE/IP
GRE key value is 1234
Checksumming of GRE packets disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
Last 300 seconds output: 0 bytes/sec, 0 packets/sec
1016 packets input, 100223 bytes
10 input error
981 packets output, 41128 bytes
0 output error
这说明其无法了解对端变化情况。这是因为在RTA上,隧道源地址所属接口正常,隧道目的地址所需的路由仍然存在。
步骤四: 恢复网络故障
[SWA-Vlan-interface2]undo shutdown
步骤五: 配置隧道Keepalive
[RTA]interface Tunnel 0
[RTA-Tunnel0]keepalive
[RTB]interface Tunnel 0
[RTB-Tunnel0]keepalive
步骤六: 模拟网络故障
在RTA上启动debugging开关:
<RTA>terminal monitor
<RTA>terminal debugging
<RTA>debugging gre all
<RTA>debugging tunnel all
关闭SWA的VLAN2接口,模拟公网路由突然发生故障。
[SWA-Vlan-interface2]shutdown
步骤七: 观察效果,检验隧道连通性
在RTA上观察debugging信息。输出信息形如:
<RTA>
*Jun 26 17:31:54:794 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is UP, no change.
*Jun 26 17:31:55:508 2009 RTA TUNNEL/7/debug:
Before encapsulation, the packet's ulLoopTimes is 0.
......
......
*Jun 26 17:32:55:968 2009 RTA TUNNEL/7/debug:
Before encapsulation, the packet's ulLoopTimes is 0.
*Jun 26 17:33:00:293 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is UP, no change.
*Jun 26 17:33:05:332 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is UP, no change.
*Jun 26 17:33:06:45 2009 RTA TUNNEL/7/debug:
Before encapsulation, the packet's ulLoopTimes is 0.
*Jun 26 17:33:10:369 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is UP, no change.
*Jun 26 17:33:15:408 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is UP, no change.
%Jun 26 17:33:16:168 2009 RTA TUNNEL/4/LINK UPDOWN:
Tunnel0: link status is DOWN
%Jun 26 17:33:16:168 2009 RTA IFNET/4/UPDOWN:
Line protocol on the interface Tunnel0 is DOWN
*Jun 26 17:33:16:168 2009 RTA TUNNEL/7/debug:
Tunnel0 down, because keepalive is not reached.
*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:
Can not get tunnel ID when tunnel(index = 0x2f0000) state is down.
*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:
Tunnel_DelTunnInUpTunnTbl: The tunnel(0x2f0000) state is down.
*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:
Before encapsulation, the packet's ulLoopTimes is 0.
*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:
Tunnel0 down, because keepalive is not reached.
*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is DOWN, no change.
*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:
Tunnel0 down, because keepalive is not reached.
*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:
Tunnel0 link state is DOWN, no change.
*Jun 26 17:33:26:203 2009 RTA TUNNEL/7/debug:
可见经过一段时间后,Tunnel0接口状态变为DOWN,根据debugging信息,原因是keepalive消息丢失。
关闭debugging开关,查看Tunnel0接口信息:
<RTA>undo debugging all
All possible debugging has been turned off
<RTA>display interface tunnel 0
Tunnel0 current state: DOWN
Line protocol current state: DOWN
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1472
Internet Address is 192.168.3.1/30 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 1.1.1.1, destination 2.2.2.1
Tunnel keepalive enable, Period(10 s), Retries(3)
Tunnel protocol/transport GRE/IP
GRE key value is 1234
Checksumming of GRE packets disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last 300 seconds input: 2 bytes/sec, 0 packets/sec
Last 300 seconds output: 2 bytes/sec, 0 packets/sec
1115 packets input, 101679 bytes
10 input error
1084 packets output, 44012 bytes
0 output error
可见Tunnel0接口状态确实已经变为DOWN。
在SWA上重新打开VLAN2接口,过一段时间之后, Tunnel0接口状态以及PCA与PCB之间的连通性可以恢复正常。
实验2配置L2TP VPN
实验1 配置GRE VPN - 1 -
1.1 实验内容与目标 - 1 -
1.2 实验组网图 - 1 -
1.3 实验设备与版本 - 1 -
1.4 实验过程 - 2 -
实验任务一: GRE VPN基本配置 - 2 -
步骤一: 搭建实验环境 - 2 -
步骤二: 检测公网连通性 - 2 -
步骤三: 配置GRE隧道接口 - 3 -
步骤四: 为私网配置静态路由 - 3 -
步骤五: 检验隧道工作状况 - 3 -
步骤六: 清除静态路由 - 5 -
步骤七: 为公网配置动态路由 - 5 -
步骤八: 为私网配置动态路由 - 5 -
步骤九: 再次检验隧道工作状况 - 5 -
实验任务二: GRE VPN隧道验证 - 6 -
步骤一: 单方配置隧道验证 - 6 -
步骤二: 检验隧道连通性 - 6 -
步骤三: 配置错误的隧道验证 - 6 -
步骤四: 检验隧道连通性 - 6 -
步骤五: 正确配置隧道验证 - 6 -
步骤六: 检验隧道连通性 - 6 -
实验任务三: GRE VPN隧道Keepalive - 7 -
步骤一: 恢复静态路由配置 - 7 -
步骤二: 模拟网络故障 - 7 -
步骤三: 检查RTA上的隧道接口状态 - 7 -
步骤四: 恢复网络故障 - 8 -
步骤五: 配置隧道Keepalive - 8 -
步骤六: 模拟网络故障 - 8 -
步骤七: 观察效果,检验隧道连通性 - 8 -
1.5 实验中的命令列表 - 10 -
1.6 思考题 - 10 -
实验2 配置L2TP VPN
实验任务一: 配置独立LAC模式
步骤一: 搭建实验环境
连接设备。在SWA上配置VLAN2,将接口E1/0/2加入VLAN2。
[SWA]vlan 2
[SWA-vlan2]port Ethernet 1/0/2
步骤二: 检测公网连通性
查看SWA的路由表和端口状态,确认其工作正常。
[SWA]display ip interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Description
Vlan-interface1 up up 1.1.1.2 Vlan-inte...
Vlan-interface2 up up 2.2.2.2 Vlan-inte...
[SWA]display ip routing-table
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan1
1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.0/24 Direct 0 0 2.2.2.2 Vlan2
2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
在RTA和RTB上配置公网接口互通所需的静态路由。
[RTA]interface GigabitEthernet0/0
[RTA-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0
[RTA-GigabitEthernet0/0]interface GigabitEthernet0/1
[RTA-GigabitEthernet0/1]ip address 1.1.1.1 255.255.255.0
[RTA-GigabitEthernet0/1]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
[RTB]interface GigabitEthernet0/0
[RTB-GigabitEthernet0/0]ip address 192.168.2.1 255.255.255.0
[RTB-GigabitEthernet0/0]interface GigabitEthernet0/1
[RTB-GigabitEthernet0/1]ip address 2.2.2.1 255.255.255.0
[RTB-GigabitEthernet0/1]ip ro
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
