H3C网络学院路由交换第四卷实验指导书.doc

资源描述

1、实验1 配置GRE VPN实验任务一： GRE VPN基本配置步骤一：搭建实验环境在SWA上配置VLAN2，将接口E1/0/2加入VLAN2：SWAvlan 2SWA-vlan2port Ethernet 1/0/2步骤二：检测公网连通性查看SWA的路由表和端口状态，确认其工作正常。SWAdisplay ip interface brief*down: administratively down(s): spoofingInterface Physical Protocol IP Address DescriptionVlan-interface1 up up 1.1.1.2 Vlan-i

2、nte.Vlan-interface2 up up 2.2.2.2 Vlan-inte.SWAdisplay ip routing-tableRouting Tables: Public Destinations : 6 Routes : 6Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop02.2.2.0/24 Direct 0 0 2.2.2.2 Vlan22.2.2.2/32 Direct 0 0

3、 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0也可以使用display interface命令。在RTA和RTB上配置公网接口互通所需的静态路由。RTAinterface GigabitEthernet0/0RTA-GigabitEthernet0/0ip address 192.168.1.1 255.255.255.0RTA-GigabitEthernet0/0interface GigabitEthernet0/1RTA-GigabitE

4、thernet0/1ip address 1.1.1.1 255.255.255.0RTA-GigabitEthernet0/1ip route-static 2.2.2.0 255.255.255.0 1.1.1.2RTBinterface GigabitEthernet0/0RTB-GigabitEthernet0/0ip address 192.168.2.1 255.255.255.0RTB-GigabitEthernet0/0interface GigabitEthernet0/1RTB-GigabitEthernet0/1ip address 2.2.2.1 255.255.255

5、.0RTB-GigabitEthernet0/1ip route-static 1.1.1.0 255.255.255.0 2.2.2.2步骤三：配置GRE隧道接口RTA interface Tunnel0RTA-Tunnel0 ip address 192.168.3.1 255.255.255.252RTA-Tunnel0 source 1.1.1.1RTA-Tunnel0 destination 2.2.2.1RTB interface Tunnel0RTB-Tunnel0 ip address 192.168.3.2 255.255.255.252RTB-Tunnel0 source

6、 2.2.2.1RTB-Tunnel0 destination 1.1.1.1步骤四：为私网配置静态路由RTA ip route-static 192.168.2.0 255.255.255.0 Tunnel0RTB ip route-static 192.168.1.0 255.255.255.0 Tunnel0配置时也可以用下一跳地址。步骤五：检验隧道工作状况查看RTA与RTB的路由表，可见公网、私网路由均存在于路由表中： RTBdisplay ip routing-tableRouting Tables: Public Destinations : 10 Routes : 10Des

7、tination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Static 60 0 2.2.2.2 GE0/12.2.2.0/24 Direct 0 0 2.2.2.1 GE0/12.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 Static 60 0 192.168.3.2 Tun0192.168.2.0/24 Direc

8、t 0 0 192.168.2.1 GE0/0192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0查看RTA和RTB的隧道接口状态，可见其使用GRE封装，状态为UP：RTBdisplay interface Tunnel 0Tunnel0 current state: UPLine protocol current state: UPDescription: Tunnel0 Interface

9、The Maximum Transmit Unit is 1476Internet Address is 192.168.3.2/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 2.2.2.1, destination 1.1.1.1Tunnel keepalive disableTunnel protocol/transport GRE/IP GRE key disabled Checksumming of GRE packets disabledOutput queue :

10、 (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 15 bytes/sec, 0 packets/sec Last 300 seconds output: 21 bytes/sec, 0 packets/sec 133 packets input, 5701

11、 bytes 0 input error 124 packets output, 7469 bytes 0 output error在RTA上打开GRE协议调试开关用debugging命令检验路由器实际收发的报文，说明其地址已经改变。terminal monitorterminal debuggingdebugging gre packet在PCA上对RTB运行ping命令，但只发送一个ICMP包：C:Documents and SettingsUserping -n 1 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Reply fr

12、om 192.168.2.1: bytes=32 time1ms TTL=254Ping statistics for 192.168.2.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms观察RTA上的输出信息：*Jun 26 16:15:30:443 2009 RTA GRE/7/debug: Tunnel0 packet:After encapsula

13、tion, Outgoing packet header 1.1.1.1-2.2.2.1(length = 84)*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Output: Gre packet has been fast-switched successfully, interface index is 0x2f0000.可见RTA从Tunnel0接口发出了一个包，源地址为1.1.1.1，目的地址为2.2.2.1。因为发送的包已经被GRE封装后在公网发送了。步骤六：清除静态路由用undo ip route-static命令。步骤七：为公网配置动态路

14、由RTAospf 1RTA-ospf-1area 0.0.0.0RTA-ospf-1-area-0.0.0.0network 1.0.0.0 0.255.255.255RTBospf 1RTB-ospf-1area 0.0.0.0RTB-ospf-1-area-0.0.0.0network 2.0.0.0 0.255.255.255SWAospf 1SWA-ospf-1area 0.0.0.0SWA-ospf-1-area-0.0.0.0network 1.0.0.0 0.255.255.255SWA-ospf-1-area-0.0.0.0network 2.0.0.0 0.255.255.2

15、55步骤八：为私网配置动态路由RTArip 1RTA-rip-1version 2RTA-rip-1network 192.168.1.0RTA-rip-1network 192.168.3.0RTBripRTB-rip-1version 2RTB-rip-1network 192.168.2.0RTB-rip-1network 192.168.3.0步骤九：再次检验隧道工作状况查看RTA与RTB的路由表： display ip routing-tableRouting Tables: Public Destinations : 10 Routes : 10Destination/Mask

16、 Proto Pre Cost NextHop Interface1.1.1.0/24 OSPF 10 2 2.2.2.2 GE0/12.2.2.0/24 Direct 0 0 2.2.2.1 GE0/12.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 RIP 100 1 192.168.3.1 Tun0192.168.2.0/24 Direct 0 0 192.168.2.1

17、 GE0/0192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0转入下一实验任务。实验任务二： GRE VPN隧道验证步骤一：单方配置隧道验证首先在RTA上单方启动隧道验证：RTA-Tunnel0gre key 1234步骤二：检验隧道连通性用ping命令验证PCA与PCB之间的连通性。由于仅单方配置了隧道验证，此时应该无法连通。C:Documents and SettingsUserpi

18、ng 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 192.168.2.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),步骤三：配置错误的隧道验证在RTB上也启动隧道验证，但验证值配置与RTA不同：RTB-Tunnel0gre key 12345步骤四：检验隧道连通性用ping命令验证

19、PCA与PCB之间的连通性。由于配置的隧道验证值错误，此时应该无法连通。C:Documents and SettingsUserping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 192.168.2.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),步骤五：正确配置隧道验证在RTB上配

20、置与RTA相同的验证值：RTB-Tunnel0gre key 1234步骤六：检验隧道连通性用ping命令验证PCA与PCB之间的连通性。由于配置的隧道验证正确，此时应该可以连通。C:Documents and SettingsUserping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Reply from 192.168.2.1: bytes=32 time=1ms TTL=254Reply from 192.168.2.1: bytes=32 time1ms TTL=254Reply from 192.168.2.1: by

21、tes=32 time1ms TTL=254Reply from 192.168.2.1: bytes=32 time1ms TTL=254Ping statistics for 192.168.2.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms注意：由于RTA和RTB上配置了RIP路由，如果隧道验证值长时间不匹配，RIP会删除来自对方的私网路由。在这种

22、情况下，配置了正确的隧道验证值后需要等待RIP重新学习路由。实验任务三： GRE VPN隧道Keepalive步骤一：恢复静态路由配置 RTAundo ripWarning : Undo RIP process? Y/N:yRTAundo ospfWarning : Undo OSPF process? Y/N:yRTAip route-static 192.168.2.0 255.255.255.0 Tunnel0 RTAip route-static 2.2.2.0 255.255.255.0 1.1.1.2RTBundo ripWarning : Undo RIP process? Y

23、/N:yRTBundo ospfWarning : Undo OSPF process? Y/N:yRTBip route-static 192.168.1.0 255.255.255.0 Tunnel0RTBip route-static 1.1.1.0 255.255.255.0 2.2.2.2步骤二：模拟网络故障 SWA-Vlan-interface2shutdown步骤三：检查RTA上的隧道接口状态在RTA上检查隧道接口状态，发现隧道接口状态仍然正常：RTAdisplay interface Tunnel 0Tunnel0 current state: UPLine protoco

24、l current state: UPDescription: Tunnel0 InterfaceThe Maximum Transmit Unit is 1472Internet Address is 192.168.3.1/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 1.1.1.1, destination 2.2.2.1Tunnel keepalive disableTunnel protocol/transport GRE/IP GRE key value is 1

25、234 Checksumming of GRE packets disabledOutput queue : (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output

26、: 0 bytes/sec, 0 packets/sec 1016 packets input, 100223 bytes 10 input error 981 packets output, 41128 bytes 0 output error这说明其无法了解对端变化情况。这是因为在RTA上，隧道源地址所属接口正常，隧道目的地址所需的路由仍然存在。步骤四：恢复网络故障SWA-Vlan-interface2undo shutdown步骤五：配置隧道KeepaliveRTAinterface Tunnel 0RTA-Tunnel0keepaliveRTBinterface Tunnel 0R

27、TB-Tunnel0keepalive步骤六：模拟网络故障在RTA上启动debugging开关：terminal monitorterminal debuggingdebugging gre alldebugging tunnel all关闭SWA的VLAN2接口，模拟公网路由突然发生故障。SWA-Vlan-interface2shutdown步骤七：观察效果，检验隧道连通性在RTA上观察debugging信息。输出信息形如：*Jun 26 17:31:54:794 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*J

28、un 26 17:31:55:508 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:32:55:968 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:00:293 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:05:332 2009 R

29、TA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:06:45 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:10:369 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:15:408 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP

30、, no change.%Jun 26 17:33:16:168 2009 RTA TUNNEL/4/LINK UPDOWN: Tunnel0: link status is DOWN%Jun 26 17:33:16:168 2009 RTA IFNET/4/UPDOWN: Line protocol on the interface Tunnel0 is DOWN*Jun 26 17:33:16:168 2009 RTA TUNNEL/7/debug:Tunnel0 down, because keepalive is not reached.*Jun 26 17:33:16:169 200

31、9 RTA TUNNEL/7/debug:Can not get tunnel ID when tunnel(index = 0x2f0000) state is down.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:Tunnel_DelTunnInUpTunnTbl: The tunnel(0x2f0000) state is down.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 1

32、7:33:20:451 2009 RTA TUNNEL/7/debug:Tunnel0 down, because keepalive is not reached.*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:Tunnel0 link state is DOWN, no change.*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:Tunnel0 down, because keepalive is not reached.*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/deb

33、ug:Tunnel0 link state is DOWN, no change.*Jun 26 17:33:26:203 2009 RTA TUNNEL/7/debug:可见经过一段时间后，Tunnel0接口状态变为DOWN，根据debugging信息，原因是keepalive消息丢失。关闭debugging开关，查看Tunnel0接口信息：undo debugging allAll possible debugging has been turned offdisplay interface tunnel 0Tunnel0 current state: DOWNLine protocol

34、current state: DOWNDescription: Tunnel0 InterfaceThe Maximum Transmit Unit is 1472Internet Address is 192.168.3.1/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 1.1.1.1, destination 2.2.2.1Tunnel keepalive enable, Period(10 s), Retries(3)Tunnel protocol/transport

35、GRE/IP GRE key value is 1234 Checksumming of GRE packets disabledOutput queue : (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 2 bytes/sec, 0 packets/se

36、c Last 300 seconds output: 2 bytes/sec, 0 packets/sec 1115 packets input, 101679 bytes 10 input error 1084 packets output, 44012 bytes 0 output error可见Tunnel0接口状态确实已经变为DOWN。在SWA上重新打开VLAN2接口，过一段时间之后， Tunnel0接口状态以及PCA与PCB之间的连通性可以恢复正常。实验2配置L2TP VPN实验1 配置GRE VPN- 1 -1.1 实验内容与目标- 1 -1.2 实验组网图- 1 -1.3 实验设

37、备与版本- 1 -1.4 实验过程- 2 -实验任务一： GRE VPN基本配置- 2 -步骤一：搭建实验环境- 2 -步骤二：检测公网连通性- 2 -步骤三：配置GRE隧道接口- 3 -步骤四：为私网配置静态路由- 3 -步骤五：检验隧道工作状况- 3 -步骤六：清除静态路由- 5 -步骤七：为公网配置动态路由- 5 -步骤八：为私网配置动态路由- 5 -步骤九：再次检验隧道工作状况- 5 -实验任务二： GRE VPN隧道验证- 6 -步骤一：单方配置隧道验证- 6 -步骤二：检验隧道连通性- 6 -步骤三：配置错误的隧道验证- 6 -步骤四：检验隧道连通性- 6

38、 -步骤五：正确配置隧道验证- 6 -步骤六：检验隧道连通性- 6 -实验任务三： GRE VPN隧道Keepalive- 7 -步骤一：恢复静态路由配置- 7 -步骤二：模拟网络故障- 7 -步骤三：检查RTA上的隧道接口状态- 7 -步骤四：恢复网络故障- 8 -步骤五：配置隧道Keepalive- 8 -步骤六：模拟网络故障- 8 -步骤七：观察效果，检验隧道连通性- 8 -1.5 实验中的命令列表- 10 -1.6 思考题- 10 -实验2 配置L2TP VPN实验任务一：配置独立LAC模式步骤一：搭建实验环境连接设备。在SWA上配置VLAN2，将接口E1/0/2

39、加入VLAN2。SWAvlan 2SWA-vlan2port Ethernet 1/0/2步骤二：检测公网连通性查看SWA的路由表和端口状态，确认其工作正常。SWAdisplay ip interface brief*down: administratively down(s): spoofingInterface Physical Protocol IP Address DescriptionVlan-interface1 up up 1.1.1.2 Vlan-inte.Vlan-interface2 up up 2.2.2.2 Vlan-inte.SWAdisplay ip routin

40、g-tableRouting Tables: Public Destinations : 6 Routes : 6Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop02.2.2.0/24 Direct 0 0 2.2.2.2 Vlan22.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.

41、0.1/32 Direct 0 0 127.0.0.1 InLoop0在RTA和RTB上配置公网接口互通所需的静态路由。RTAinterface GigabitEthernet0/0RTA-GigabitEthernet0/0ip address 192.168.1.1 255.255.255.0RTA-GigabitEthernet0/0interface GigabitEthernet0/1RTA-GigabitEthernet0/1ip address 1.1.1.1 255.255.255.0RTA-GigabitEthernet0/1ip route-static 2.2.2.0 255.255.255.0 1.1.1.2RTBinterface GigabitEthernet0/0RTB-GigabitEthernet0/0ip address 192.168.2.1 255.255.255.0RTB-GigabitEthernet0/0interface GigabitEthernet0/1RTB-GigabitEthernet0/1ip address 2.2.2.1 255.255.255.0RTB-GigabitEthernet0/1ip ro

展开阅读全文