在企业网络中部署×××备份技术

随着社会经济的高速发展，现代企业发展规模正从独立企业走向集团化企业，企业管理也从独立化走向集中统一管理模式，在这种需求情况下，信息化建房也成为企业发展的重要环节，为了保障企业业务数据安全的在运营商或internet网络中传输，×××技术也得到广泛的应用。为了保障网络的高可用性和高可靠性，在部署×××网络的时候，备份链路是必须考虑到的关键因素。

在部署×××备份链路时，可以通过两种方面来实现高可靠和高可用性：

? 一种方式是使用两条运营商链路，实现互为备份，并可以实现负载均衡。

? 一种方式就是使用一条运营商链路作为主链路，而备份链路则使用internet链路。

当然第一种方式性能更为优越，但其成本很高，第二种方式成本很低，但其性能有局限性。下面以两个例子来说明其实现的方式。

下图为第一种方式的例子，总公司与分公司之间申请两运营商链路，为保证业务数据传输安全，需要使用×××技术对数据进行加密。需要保护的网段是10.1.1.0/24和10.1.2.0/24两个子网。

为了实现这种需求，×××的配置方式并没有改变，只需要将×××的源地址改为Loopback地址，因这此地址不会down,而且当其两个外网接口中的任何一个接口down了，也不影响×××的连接。

下面为其具体配置：

RouterA#sh running-config

Building configuration...

Current configuration : 1337 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Router

boot-start-marker

boot-end-marker

no aaa new-model

resource policy

ip cef

!

crypto isakmp policy 110   #创建策略

hash md5 #采用加密方式

authentication pre-share  #验证使得预共享密钥

group 2 #DH算法

crypto isakmp key 123 address 2.2.2.2  #共享密钥和对端地址，地址是对端loopback接口地址

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac #建立数据加密方式

!

crypto map map1 local-address Loopback0   #加密映射的原地址为本地的loopback接口址

crypto map map1 10 ipsec-isakmp   #创建加密映射

set peer 2.2.2.2  #对端地址

set transform-set ***  #数据加密方式

match address 110  #加密感兴趣数据流，符合访问列表110的数据流

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

duplex half

!

interface Serial1/0

ip address 88.1.1.1 255.255.255.252

serial restart-delay 0

crypto map map1  #在接口上应用加密映射

!

interface Serial1/1

ip address 99.1.1.1 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

ip route 0.0.0.0 0.0.0.0 88.1.1.2

ip route 0.0.0.0 0.0.0.0 99.1.1.2

no ip http server

no ip http secure-server

!

logging alarm informational

access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255  #定义感兴趣数据流

!

control-plane

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

end

RouterB#sh running-config

Building configuration...

Current configuration : 1338 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterB

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

!

crypto isakmp policy 110   #创建策略

hash md5  #加密方式

authentication pre-share #预共享密钥

group 2  #DH算法

crypto isakmp key 123 address 1.1.1.1  #共享密钥及对端地址，地址是对端loopback接口地址

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac   #定义数据加密方式

!

crypto map map1 local-address Loopback0  #加密映射原地址为本地loopback接口地址。

crypto map map1 10 ipsec-isakmp   #创建加密映射

set peer 1.1.1.1   #对端地址

set transform-set *** #数据加密方式引用

match address 110  #加密感兴趣数据流，符合访问控制列表110的数据

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.2.1 255.255.255.0

duplex half

!

interface Serial1/0

ip address 88.1.1.2 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/1

ip address 99.1.1.2 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

ip route 0.0.0.0 0.0.0.0 88.1.1.1

ip route 0.0.0.0 0.0.0.0 99.1.1.1

no ip http server

no ip http secure-server

!

logging alarm informational

access-list 110 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255  #定义感兴趣数据流

!

control-plane

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

end

下面为其测试环节，使用两个子网进行PING通信，则两个子网可以通信。

RouterB#ping 10.1.1.1 source 10.1.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/62/104 ms

 

RouterB#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

1.1.1.1 2.2.2.2 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

RouterB#sh crypto ipsec sa

interface: Serial1/0

Crypto map tag: map1, local addr 2.2.2.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240

#pkts decaps: 223, #pkts decrypt: 223, #pkts verify: 223

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

current outbound spi: 0x5CA4CEE6(1554304742)

inbound esp sas:

spi: 0x108F068F(277808783)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2294)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xBC5AC99A(3160066458)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2290)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x5CA4CEE6(1554304742)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2290)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0x13AFEA83(330295939)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2288)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

interface: Serial1/1

Crypto map tag: map1, local addr 2.2.2.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240

#pkts decaps: 223, #pkts decrypt: 223, #pkts verify: 223

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

current outbound spi: 0x5CA4CEE6(1554304742)

inbound esp sas:

spi: 0x108F068F(277808783)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2288)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xBC5AC99A(3160066458)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2288)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x5CA4CEE6(1554304742)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2287)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0x13AFEA83(330295939)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2287)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

当登录到路由器，将其中的一接口down了之后 ，两个子网依然可以正常通信。

Router(config-if)#int s1/1

Router(config-if)#shutdown

Router(config-if)#

*Nov 30 20:56:34.519: %LINK-5-CHANGED: Interface Serial1/1, changed state to administratively down

*Nov 30 20:56:34.519: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/1 Physical Port Administrative State Down

*Nov 30 20:56:35.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down

RouterB#ping 10.1.1.1 source 10.1.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/62/104 ms

RouterB#

本实例只基于备份链路，如果两端有多个子网，而且实现其负载均衡的功能，可以使用策略路由PBR来实现，在本实例中不做详细说明，如果想学习PBR的内容，可以参照我以前的博文

下面是第二种方式实现×××备份，在这种模式下，公司为节省成本只申请一条运营商链路，如果当专用链路出同故障的时候，需要使用Internet链路传输业务数据，但为保障其安全，需要采用×××技术。

为减少链路的中断时间，需要采用HSRP或VRRP技术，实现热备，在三层网络中采用的IP路由选择协议是OSPF，但IPSec只能支持IP单播,所以在启用IPSec ×××技术时，其OSPF路由协议更新无法传递，所以需要采用GRE隧道来传递OSPF路由协议更新。

另外内网用户需要访问互联网，所以在使用NAT时，需要排除两个×××子网不需要进行地址转换。

网络中使用的IP路由选择协议是OSPF，如果使用OSPF发布默认路由的时候，其两个公司的子网都会学习到默认路由，所以在实施的时候需要使用分发列表对默认路由进行过滤。

下图为实验拓扑。

具体配置如下。

R1#sh running-config

Building configuration...

Current configuration : 1847 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

crypto isakmp policy 110  #创建策略

hash md5  #定义加密方式

authentication pre-share  #共享密钥验证方式

group 2  #DH算法

crypto isakmp key 123 address 211.1.1.2  #共享密钥及对端地址

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac  #数据加密方式

mode transport  #传输模式

!

crypto map map1 10 ipsec-isakmp   #创建加密映射

set peer 211.1.1.2 #对端地址

set transform-set ***  #数据加密方式

match address 110   #加密感兴趣数据流，符合访问列表110的数据

!

interface Tunnel1  #创建隧道接口

ip address 172.16.1.5 255.255.255.252  #隧道接口的IP地址

tunnel source Serial1/0   #隧道接口原接口地址

tunnel destination 211.1.1.2  #隧道接口目标地址

tunnel key 123456  #隧道验证密钥

crypto map map1  #在隧道上使用加密映射

!

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

ip nat inside  #地址转换入接口

ip virtual-reassembly

duplex full

standby 10 ip 172.16.2.254  #HSRP 组10 ，其虚拟地址为172.16.2.254

standby 10 preempt  #HSRP组10，打开抢占模式

!

interface Serial1/0

ip address 211.1.1.1 255.255.255.248

ip nat outside #地址转换出口

ip virtual-reassembly

serial restart-delay 0

!

interface Serial1/1

no ip address

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10  #启动OSPF

log-adjacency-changes

network 172.16.1.4 0.0.0.3 area 0  #公布网络

network 172.16.2.0 0.0.0.255 area 10  #公布网络

default-information originate   #重分发默认路由

distribute-list 10 in Tunnel1   #引用分发列表，阻止从此接口学习默认路由。

!

ip route 0.0.0.0 0.0.0.0 211.1.1.2

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Serial1/0 overload  #配置地址转换，允许内网访问互联网,使用外部接口地址作为全局地址。

!

logging alarm informational

access-list 10 deny 0.0.0.0    #禁止默认路由，应用于分发列表

access-list 10 permit any   #允许其它所有的路由，应用于分发列表

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255  #当两个需要启用×××的网络访问时，不允许进行地址转换。

access-list 100 permit ip 10.1.1.0 0.0.0.255 any  #允许10.1.1.0网络进行地址转换

access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255   #定义需要加密的感兴趣数据流。

!

control-plane

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

End

R2#sh running-config

Building configuration...

Current configuration : 1094 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

!

interface FastEthernet0/0

ip address 172.16.2.2 255.255.255.0

duplex full

standby 10 ip 172.16.2.254   #HSRP组10，虚拟地址为172.16.2.254

standby 10 priority 120    #HSRP组10优先级为120.此路由器为活跃路由器

standby 10 preempt   #HSRP组10，打开抢占功能

standby 10 track Serial1/0 30  #HSRP组10，打开端口跟踪功能，并减少相应优先级30.

!

interface Serial1/0

ip address 172.16.1.1 255.255.255.252

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10    #启用OSPF

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0    #公布网络

network 172.16.2.0 0.0.0.255 area 10   #公布网络

distribute-list 10 in Serial1/0   #配置分发列表，阻止在此接口学习默认路由

!

no ip http server

no ip http secure-server

!

logging alarm informational

access-list 10 deny 0.0.0.0    #阻止学习默认路由，应用于分发列表

access-list 10 permit any  #允许学习其它路由，应用于分发列表

!

control-plane

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

End

SW2#sh running-config

Building configuration...

Current configuration : 1194 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW2

!

boot-start-marker

boot-end-marker

!

noaaa new-model

memory-size iomem 5

!

ip cef

!

interface FastEthernet0/0

switchport access vlan 10

!

interface FastEthernet0/1

switchport access vlan 10

!

interface FastEthernet0/2

switchport access vlan 20

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 172.16.2.253 255.255.255.0

!

interface Vlan20

ip address 10.1.1.1 255.255.255.0

!

router ospf 10

log-adjacency-changes

network 10.1.1.0 0.0.0.255 area 10

network 172.16.2.0 0.0.0.255 area 10

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

line aux 0

line vty 0 4

!

End

R3#sh running-config

Building configuration...

Current configuration : 1857 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

!

crypto isakmp policy 110   #创建特事特办

hash md5    #加密方式

authentication pre-share   #验证方式为共享密钥

group 2   #DH算法

crypto isakmp key 123 address 211.1.1.1   #共享密钥及对端地址

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac    #数据加密方式

mode transport   #传输模式

!

crypto map map1 10 ipsec-isakmp    #创建加密映射

set peer 211.1.1.1   #对端地址

set transform-set ***    #数据加密方式

match address 110   #感兴趣数据流，符合访问列表110

!

interface Tunnel1    #创建隧道

ip address 172.16.1.6 255.255.255.252   #隧道地址

tunnel source Serial1/0   #隧道原地址

tunnel destination 211.1.1.1   #隧道目标地址

tunnel key 123456   #隧道验证口令

crypto map map1   #隧道应用加密映射

!

interface FastEthernet0/0

ip address 172.16.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

standby 20 ip 172.16.3.254   #HSRP组20，虚拟地址为172.16.3.254

standby 20 preempt  #HSRP组20，打开抢占功能

!

interface Serial1/0

ip address 211.1.1.2 255.255.255.248

ip nat outside

ip virtual-reassembly

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10  #启用OSPF

log-adjacency-changes

network 172.16.1.4 0.0.0.3 area 0  #公布网络

network 172.16.3.0 0.0.0.255 area 20  #公布网络

default-information originate   #重分发默认路由

distribute-list 10 in Tunnel1   #配置分发列表，禁止从此接口学习默认路由

!

ip route 0.0.0.0 0.0.0.0 211.1.1.1

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Serial1/0 overload   #网络地址转换，允许内网访问互联网，其全局地址为接口地址

!

logging alarm informational

access-list 10 deny 0.0.0.0   #禁止学习默认路由，应用于分发列表

access-list 10 permit any  #允许学习其它路由，应用于分发列表

access-list 100 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255   #禁止两个启用加密的网段访问时，进行地址转换

access-list 100 permit ip 10.1.2.0 0.0.0.255 any  #允许10.1.1.0进行地址转换

access-list 110 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255  #定义加密的感兴趣数据流

!

control-plane

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

End

R4#sh running-config

Building configuration...

Current configuration : 1104 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

!

interface FastEthernet0/0

ip address 172.16.3.2 255.255.255.0

duplex full

standby 20 ip 172.16.3.254   #HSRP组20，虚拟地址为172.16.3.254

standby 20 priority 120  #HSRP组20，优先级为120，其为活跃路由器

standby 20 preempt   # HSRP组20，打开抢占功能

standby 20 track Serial1/0 30  #HSRP组20端口跟踪，其相应减少30优先级。

!

interface Serial1/0

ip address 172.16.1.2 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10  #启用OSPF

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0     #公布网络

network 172.16.3.0 0.0.0.255 area 20  #公布网络

distribute-list 10 in Serial1/0  #配置分发列表，禁止从此接口学习默认路由

!

no ip http server

no ip http secure-server

!

logging alarm informational

access-list 10 deny 0.0.0.0

access-list 10 permit any

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

End

SW1#sh running-config

Building configuration...

Current configuration : 1194 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

interface FastEthernet0/0

switchport access vlan 30

!

interface FastEthernet0/1

switchport access vlan 30

!

interface FastEthernet0/2

switchport access vlan 40

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface Vlan1

no ip address

!

interface Vlan30

ip address 172.16.3.253 255.255.255.0

!

interface Vlan40

ip address 10.1.2.1 255.255.255.0

!

router ospf 10

log-adjacency-changes

network 10.1.2.0 0.0.0.255 area 20

network 172.16.3.0 0.0.0.255 area 20

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

line aux 0

line vty 0 4

!

end

下面是测试环节，查看SW2路由条目。

SW2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

O IA 172.16.1.4/30 [110/11112] via 172.16.2.1, 00:00:55, Vlan10

O IA 172.16.1.0/30 [110/65] via 172.16.2.2, 00:00:55, Vlan10

C 172.16.2.0/24 is directly connected, Vlan10

O IA 172.16.3.0/24 [110/66] via 172.16.2.2, 00:00:46, Vlan10

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/67] via 172.16.2.2, 00:00:46, Vlan10

C 10.1.1.0 is directly connected, Vlan20

O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 00:00:45, Vlan10

去住10.1.2.0网段的开销为67。

SW1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.3.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

O IA 172.16.1.4/30 [110/11112] via 172.16.3.1, 00:01:05, Vlan30

O IA 172.16.1.0/30 [110/65] via 172.16.3.2, 00:01:05, Vlan30

O IA 172.16.2.0/24 [110/66] via 172.16.3.2, 00:00:35, Vlan30

C 172.16.3.0/24 is directly connected, Vlan30

10.0.0.0/24 is subnetted, 2 subnets

C 10.1.2.0 is directly connected, Vlan40

O IA 10.1.1.0 [110/67] via 172.16.3.2, 00:00:35, Vlan30

O*E2 0.0.0.0/0 [110/1] via 172.16.3.1, 00:00:30, Vlan30

R4#sh standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 20 120 P Active local 172.16.3.1 172.16.3.254

R2#sh standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 10 120 P Active local 172.16.2.1 172.16.2.254

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 211.1.1.2 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.16.1.4/30 is directly connected, Tunnel1

C 172.16.2.0/24 is directly connected, FastEthernet0/0

O IA 172.16.3.0/24 [110/11112] via 172.16.1.6, 00:03:56, Tunnel1

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/11113] via 172.16.1.6, 00:03:56, Tunnel1

O 10.1.1.0 [110/2] via 172.16.2.253, 00:03:56, FastEthernet0/0

211.1.1.0/29 is subnetted, 1 subnets

C 211.1.1.0 is directly connected, Serial1/0

S* 0.0.0.0/0 [1/0] via 211.1.1.2

R2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.16.1.0/30 is directly connected, Serial1/0

C 172.16.2.0/24 is directly connected, FastEthernet0/0

O IA 172.16.3.0/24 [110/65] via 172.16.1.2, 00:04:04, Serial1/0

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/66] via 172.16.1.2, 00:04:04, Serial1/0

O 10.1.1.0 [110/2] via 172.16.2.253, 00:04:14, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 00:04:04, FastEthernet0/0

去住10.1.2.0网段的开销为66.

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/144/204 ms

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/119/160 ms

登录到路由器，将其中主链路的接口down了。

R4(config)#int s1/0

R4(config-if)#shutdown

R4(config-if)#

*Nov 30 22:36:09.703: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.2.2 on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Nov 30 22:36:11.591: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 20 state Active -> Speak

*Nov 30 22:36:11.675: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down

*Nov 30 22:36:11.675: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down

*Nov 30 22:36:12.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

*Nov 30 22:36:21.591: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 20 state Speak -> Standby

R2#

*Nov 30 22:36:41.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

*Nov 30 22:36:41.443: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.3.2 on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Nov 30 22:36:44.035: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak

R2#

*Nov 30 22:36:54.035: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby

可以看到HSRP的主路由器发生了变化。

R2#sh standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 10 90 P Standby 172.16.2.1 local 172.16.2.254

R2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

O IA 172.16.1.4/30 [110/11112] via 172.16.2.1, 00:00:32, FastEthernet0/0

C 172.16.2.0/24 is directly connected, FastEthernet0/0

O IA 172.16.3.0/24 [110/11113] via 172.16.2.1, 00:00:32, FastEthernet0/0

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/11114] via 172.16.2.1, 00:00:32, FastEthernet0/0

O 10.1.1.0 [110/2] via 172.16.2.253, 00:00:32, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 00:00:32, FastEthernet0/0

查看其去住10.1.2.0网段的路由开销为1114，则说明其经由隧道进行通信。

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/178/232 ms

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 124/174/208 ms

可以看到×××的链路已经启动。

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

211.1.1.2 211.1.1.1 QM_IDLE 1002 0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: map1, local addr 211.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

current_peer 211.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49

#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

可以看到其加密的报文数量为49个。

local crypto endpt.: 211.1.1.1, remote crypto endpt.: 211.1.1.2

path mtu 1472, ip mtu 1472, ip mtu idb Tunnel1

current outbound spi: 0x9F5AB1DA(2673521114)

inbound esp sas:

spi: 0x2F5C5100(794579200)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2731)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xCAD7ADBF(3403132351)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2730)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x9F5AB1DA(2673521114)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2730)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0xCB251438(3408204856)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2729)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

这时再登录到路由器，将其接口启用。

R4(config-if)#no shutdown

R4(config-if)#

*Nov 30 22:39:11.935: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up

*Nov 30 22:39:11.935: %ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State Down

*Nov 30 22:39:12.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

*Nov 30 22:39:13.899: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 20 state Standby -> Active

R4(config-if)#

*Nov 30 22:39:22.103: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.2.2 on Serial1/0 from LOADING to FULL, Loading Done

R4(config-if)#

再进行数据通信。

SW2#ping 211.1.1.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 211.1.1.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/104/140 ms

则可以看到其没有使用×××加密，而采用的是主链路进行转发数据。

R1#sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: map1, local addr 211.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

current_peer 211.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49

#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 211.1.1.1, remote crypto endpt.: 211.1.1.2

path mtu 1472, ip mtu 1472, ip mtu idb Tunnel1

current outbound spi: 0x9F5AB1DA(2673521114)

inbound esp sas:

spi: 0x2F5C5100(794579200)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2631)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xCAD7ADBF(3403132351)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2629)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x9F5AB1DA(2673521114)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2629)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0xCB251438(3408204856)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2629)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

内网主机再访问互联网主机，则可以看到其并没有加密，而是进行地址转换。

SW2#ping 211.1.1.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 211.1.1.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/90/152 ms

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 211.1.1.1:76 10.1.1.1:76 211.1.1.2:76 211.1.1.2:76

icmp 211.1.1.1:77 10.1.1.1:77 211.1.1.2:77 211.1.1.2:77