×××技术

2007-08-03 12:20:10
 标签: 网络 ×××    [ 推送到技术圈]

×××的定义   虚拟专网(×××-VIRTUAL PRIVATE NETWORK)指的是在公用网络上建立专用网络的技术。之所以称为虚拟网主要是因为整个×××网络的任意两个节点之间的连接并没有传统专网所需的端到端的物理链路,而是架构在公用网络服务商所提供的网络平台(如INTERNET,ATM,FRAME RELAY等)之上的逻辑网络,用户数据在逻辑链路中传输。       ×××的功能   1、通过隧道(TUNNEL)或虚电路(VIRTUAL CIRCUIT)实现网络互联   2、支持用户安全管理   3、能够进行网络监控、故障诊断       ×××解决方案的优点   1、省钱:它可以节省长途电话费和长途专线电话费和长途专线网络费可以为用户节省30-25%的 网络应用的开销。   2、选择灵活、速度快:通过***网关,用户可以选择多种internet连通技术,而且对于 INTERNET的容量可以实现按需定制;   3、安全性好:×××的认证机制将更好地保证用户的隐私权和收发数据的完整性;   4、实现投资的保护:×××技术的应用可以建立在用户现有的防火墙的基础上,用户正在使用的 应用软件也不受影响。       ×××技术原理   1、 ×××系统使分布在不同地方的专用网络在不可信任的公共网络上安全的通信。   2、 ×××设备根据网管设置的规则,确定是否需要对数据进行加密或让数据直接通过。   3、 对需要加密的数据,×××设备对整个数据包进行加密和附上数字签名。   4、 ×××设备加上新的收据包头,其中包括目的地×××设备需要的安全信息和一些初始化参数。   5、 ×××设备对加密后的数据、鉴别包以及源IP地址、目标×××设备IP地址进行重新封装,重新封装后的数据包通过虚拟通道在公网上传输。   6、 当数据包到达目标×××设备时,数据包被解封装,数据包被解封装,数字签名,数字签名被 核对无误后,收据包被解密。       ×××配置实例     Intranet 内联网配置:   Figure 3-8: Intranet ××× Scenario Physical Elements   Headquarters Router 配置   hq-sanjose# show running-config   Building configuration...     Current configuration:   !   version 12.0   service timestamps debug uptime   service timestamps log uptime   no service password-encryption   !   hostname hq-sanjose   !   boot system flash bootflash:   boot bootldr bootflash:c7100-boot-mz.120-1.1.T   boot config slot0:hq-sanjose-cfg-small   no logging buffered   !   crypto isakmp policy 1   authentication pre-share   lifetime 84600   crypto isakmp key test12345 address 172.24.2.5   !   crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac   mode transport   !   !   crypto map s1first local-address Serial1/0   crypto map s1first 1 ipsec-isakmp   set peer 172.24.2.5   set transform-set proposal1   match address 101   !   interface Tunnel0   bandwidth 180   ip address 172.17.3.3 255.255.255.0   no ip directed-broadcast   tunnel source 172.17.2.4   tunnel destination 172.24.2.5   crypto map s1first   !   interface FastEthernet0/0   ip address 10.1.3.3 255.255.255.0   no ip directed-broadcast   no keepalive   full-duplex   no cdp enable   !   interface FastEthernet0/1   ip address 10.1.6.4 255.255.255.0   no ip directed-broadcast   no keepalive   full-duplex   no cdp enable   !   interface Serial1/0   ip address 172.17.2.4 255.255.255.0   no ip directed-broadcast   no ip mroute-cache   no keepalive   fair-queue 64 256 0   framing c-bit   cablelength 10   dsu bandwidth 44210   clock source internal   no cdp enable   crypto map s1first   !   ip route 10.1.4.0 255.255.255.0 Tunnel0   !   access-list 101 permit gre host 172.17.2.4 host 172.24.2.5   !   line con 0   transport input none   line aux 0   line vty 0 4   login   !   end     Remote Office Router 配置:   ro-rtp# show running-config   Building configuration...     Current configuration:   !   version 12.0   service timestamps debug uptime   service timestamps log uptime   no service password-encryption   !   hostname ro-rtp   !   boot system flash bootflash:   boot bootldr bootflash:c7100-boot-mz.120-1.1.T   boot config slot0:ro-rtp-cfg-small   no logging buffered   !   crypto isakmp policy 1   authentication pre-share   lifetime 84600   crypto isakmp key test12345 address 172.17.2.4   !   crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac   mode transport   !   !   crypto map s1first local-address Serial1/0   crypto map s1first 1 ipsec-isakmp   set peer 172.17.2.4   set transform-set proposal1   match address 101   !   interface Tunnel1   bandwidth 180   ip address 172.24.3.6 255.255.255.0   no ip directed-broadcast   tunnel source 172.24.2.5   tunnel destination 172.17.2.4   crypto map s1first   !   interface FastEthernet0/0   ip address 10.1.4.2 255.255.255.0   no ip directed-broadcast   no keepalive   full-duplex   no cdp enable   !   interface Serial1/0   ip address 172.24.2.5 255.255.255.0   no ip directed-broadcast   no ip mroute-cache   no keepalive   fair-queue 64 256 0   framing c-bit   cablelength 10   dsu bandwidth 44210   clock source internal   no cdp enable   crypto map s1first   !   ip route 10.1.3.0 255.255.255.0 Tunnel1   ip route 10.1.6.0 255.255.255.0 Tunnel1   !   access-list 101 permit gre host 172.24.2.5 host 172.17.2.4   !   line con 0   transport input none   line aux 0   line vty 0 4   login   !   end   Extranet外联网配置:   Figure 3-9: Extranet ××× Scenario Physical Elements       Headquarters Router配置:   hq-sanjose# show running-config   Building configuration...     Current configuration:   !   version 12.0   service timestamps debug uptime   service timestamps log uptime   no service password-encryption   !   hostname hq-sanjose   !   boot system flash bootflash:   boot bootldr bootflash:c7100-boot-mz.120-1.1.T   boot config slot0:hq-sanjose-cfg-small   no logging buffered   !   crypto isakmp policy 1   authentication pre-share   lifetime 84600   crypto isakmp key test12345 address 172.24.2.5   crypto isakmp key test67890 address 172.23.2.7   !   crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac   ode transport   !   crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac   !   !   crypto map s1first local-address Serial1/0   crypto map s1first 1 ipsec-isakmp   set peer 172.24.2.5   set transform-set proposal1   match address 101   !   crypto map s4second local-address Serial2/0   crypto map s4second 2 ipsec-isakmp   set peer 172.23.2.7   set transform-set proposal4   match address 111   !   interface Tunnel0   bandwidth 180   ip address 172.17.3.3 255.255.255.0   no ip directed-broadcast   tunnel source 172.17.2.4   tunnel destination 172.24.2.5   crypto map s1first   !   interface FastEthernet0/0   ip address 10.1.3.3 255.255.255.0   no ip directed-broadcast   no keepalive   full-duplex   no cdp enable   !   interface FastEthernet0/1   ip address 10.1.6.4 255.255.255.0   no ip directed-broadcast   ip nat inside   no keepalive   full-duplex   no cdp enable   !   interface Serial1/0 本文出自 51CTO.COM技术博客