试验预备知识:
什么是GRE了?它是做什么的了?我们先来看一些知识点
GRE:通用路由封装 (GRE: Generic Routing Encapsulation)
通用路由封装(GRE)定义了在任意一种网络层协议上封装任意一个其它网络层协议的协议。
在大多数常规情况下,系统拥有一个有效载荷(或负载)包,需要将它封装并发送至某个目的地。首先将有效载荷封装在一个 GRE 包中,然后将此 GRE 包封装在其它某协议中并进行转发。此外发协议即为发送协议。当 IPv4 被作为 GRE 有效载荷传输时,协议类型字段必须被设置为 0x800。当一个隧道终点拆封此含有 IPv4 包作为有效载荷的 GRE 包时,IPv4 包头中的目的地址必须用来转发包,并且需要减少有效载荷包的 TTL。值得注意的是,在转发这样一个包时,如果有效载荷包的目的地址就是包的封装器(也就是隧道另一端),就会出现回路现象。在此情形下,必须丢弃该包。当 GRE 包被封装在 IPv4 中时,需要使用 IPv4 协议 47。
GRE 下的网络安全与常规的 IPv4 网络安全是较为相似的,GRE 下的路由采用 IPv4 原本使用的路由,但路由过滤保持不变 。包过滤要求防火墙检查 GRE 包,或者在 GRE 隧道终点完成过滤过程。在那些这被看作是安全问题的环境下,可以在防火墙上终止隧道。
路由封装(GRE)最早是由Cisco提出的,而目前它已经成为了一种标准,被定义在RFC 1701, RFC 1702, 以及RFC 2784中。简单来说,GRE就是一种隧道协议,用来从一个网络向另一个网络传输数据包。
如果你觉得它和虚拟专用网(×××)有些类似,那只是因为:从技术上讲,GRE隧道是某一类型的×××,但是并不是一个安全隧道方式。不过你也可以使用某种加密协议对GRE隧道进行加密,比如×××网络中常用的IPSec协议。
实际上,点到点隧道协议(PPTP)就是使用了GRE来创建×××隧道。比如,如果你要创建Microsoft ×××隧道,默认情况下会使用PPTP,这时就会用到GRE。
通用路由封装(GRE)定义了在任意一种网络层协议上封装任意一个其它网络层协议的协议。
在大多数常规情况下,系统拥有一个有效载荷(或负载)包,需要将它封装并发送至某个目的地。首先将有效载荷封装在一个 GRE 包中,然后将此 GRE 包封装在其它某协议中并进行转发。此外发协议即为发送协议。当 IPv4 被作为 GRE 有效载荷传输时,协议类型字段必须被设置为 0x800。当一个隧道终点拆封此含有 IPv4 包作为有效载荷的 GRE 包时,IPv4 包头中的目的地址必须用来转发包,并且需要减少有效载荷包的 TTL。值得注意的是,在转发这样一个包时,如果有效载荷包的目的地址就是包的封装器(也就是隧道另一端),就会出现回路现象。在此情形下,必须丢弃该包。当 GRE 包被封装在 IPv4 中时,需要使用 IPv4 协议 47。
GRE 下的网络安全与常规的 IPv4 网络安全是较为相似的,GRE 下的路由采用 IPv4 原本使用的路由,但路由过滤保持不变 。包过滤要求防火墙检查 GRE 包,或者在 GRE 隧道终点完成过滤过程。在那些这被看作是安全问题的环境下,可以在防火墙上终止隧道。
路由封装(GRE)最早是由Cisco提出的,而目前它已经成为了一种标准,被定义在RFC 1701, RFC 1702, 以及RFC 2784中。简单来说,GRE就是一种隧道协议,用来从一个网络向另一个网络传输数据包。
如果你觉得它和虚拟专用网(×××)有些类似,那只是因为:从技术上讲,GRE隧道是某一类型的×××,但是并不是一个安全隧道方式。不过你也可以使用某种加密协议对GRE隧道进行加密,比如×××网络中常用的IPSec协议。
实际上,点到点隧道协议(PPTP)就是使用了GRE来创建×××隧道。比如,如果你要创建Microsoft ×××隧道,默认情况下会使用PPTP,这时就会用到GRE。
为什么要用GRE? 为什么要使用GRE进行隧道传输呢?原因如下:
有时你需要加密的多播传输。GRE隧道可以像真实的网络接口那样传递多播数据包,而单独使用IPSec,则无法对多播传输进行加密。多播传输的例子包括OSPF, EIGRP, 以及RIPV2。另外,大量的视频、VoIP以及音乐流程序使用多播。
你所采用的某种协议无法进行路由,比如NetBIOS或在IP网络上进行非IP传输。比如,你可以在IP网络中使用GRE支持IPX或AppleTalk协议。
你需要用一个IP地址不同的网络将另外两个类似的网络连接起来。
有时你需要加密的多播传输。GRE隧道可以像真实的网络接口那样传递多播数据包,而单独使用IPSec,则无法对多播传输进行加密。多播传输的例子包括OSPF, EIGRP, 以及RIPV2。另外,大量的视频、VoIP以及音乐流程序使用多播。
你所采用的某种协议无法进行路由,比如NetBIOS或在IP网络上进行非IP传输。比如,你可以在IP网络中使用GRE支持IPX或AppleTalk协议。
你需要用一个IP地址不同的网络将另外两个类似的网络连接起来。
ok! 我们来做个试验,看看效果,加深一下理论的印象、试验拓扑和配置如下
实验过程:
第一步 R1的预配置
R1(config)# int lo0
R1(config-if)# ip add 1.1.1.1 255.255.255.0
R1(config-if)# int s2/1
R1(config-if)# ip add 192.168.0.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)# ^Z
第一步 R1的预配置
R1(config)# int lo0
R1(config-if)# ip add 1.1.1.1 255.255.255.0
R1(config-if)# int s2/1
R1(config-if)# ip add 192.168.0.1 255.255.255.0
R1(config-if)# no sh
R1(config-if)# exit
R1(config)# ^Z
第二步 R2的预配置
R2(config)# int s2/1
R2(config-if)# ip add 192.168.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# int s2/2
R2(config-if)# ip add 172.16.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)# ^Z
R2(config)# int s2/1
R2(config-if)# ip add 192.168.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# int s2/2
R2(config-if)# ip add 172.16.0.2 255.255.255.0
R2(config-if)# no sh
R2(config-if)# exit
R2(config)# ^Z
第三步 R3的预配置
R3(config)# int s2/1
R3(config-if)# ip add 172.16.0.3 255.255.255.0
R3(config-if)# no sh
R3(config-if)# int lo0
R3(config-if)# ip add 3.3.3.3 255.255.255.0
R3(config-if)# exit
R3(config)# ^Z
R3(config)# int s2/1
R3(config-if)# ip add 172.16.0.3 255.255.255.0
R3(config-if)# no sh
R3(config-if)# int lo0
R3(config-if)# ip add 3.3.3.3 255.255.255.0
R3(config-if)# exit
R3(config)# ^Z
第四步 配置R1、R2、R3使用EIGRP AS100
R1(config)# router eigrp 100
R1(config-router)# no auto
R1(config-router)# net 192.168.0.0
R1(config)# router eigrp 100
R1(config-router)# no auto
R1(config-router)# net 192.168.0.0
R2(config)#
router eigrp 100
R2(config-router)# no auto
R2(config-router)# net 192.168.0.0
R2(config-router)# net 172.16.0.0
R2(config-router)# no auto
R2(config-router)# net 192.168.0.0
R2(config-router)# net 172.16.0.0
R3(config)#
router eigrp 100
R3(config-router)# no auto
R3(config-router)# net 172.16.0.0
R3(config-router)# no auto
R3(config-router)# net 172.16.0.0
第五步 检查R1、R3能否学习到对方的路由条目
R1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.0.0 [90/2681856] via 192.168.0.2, 00:01:48, Serial2/1
C 192.168.0.0/24 is directly connected, Serial2/1
C 1.1.1.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.0.0 [90/2681856] via 192.168.0.2, 00:01:48, Serial2/1
C 192.168.0.0/24 is directly connected, Serial2/1
R3#
show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Serial2/1
D 192.168.0.0/24 [90/2681856] via 172.16.0.2, 00:01:33, Serial2/1
C 3.3.3.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Serial2/1
D 192.168.0.0/24 [90/2681856] via 172.16.0.2, 00:01:33, Serial2/1
第六步 在R1、R3上创建GRE隧道
R1(config)# int tunnel 0
R1(config-if)# tunnel source s2/1
R1(config-if)# tunnel destination 172.16.0.3
R1(config-if)# ip add 10.0.0.1 255.255.255.0
R1(config-if)# exit
R1(config)# int tunnel 0
R1(config-if)# tunnel source s2/1
R1(config-if)# tunnel destination 172.16.0.3
R1(config-if)# ip add 10.0.0.1 255.255.255.0
R1(config-if)# exit
R3(config)#
int tunnel 0
R3(config-if)# tunnel source s2/1
R3(config-if)# tunnel destination 192.168.0.1
R3(config-if)# ip add 10.0.0.3 255.255.255.0
R3(config-if)# exit
R3(config-if)# tunnel source s2/1
R3(config-if)# tunnel destination 192.168.0.1
R3(config-if)# ip add 10.0.0.3 255.255.255.0
R3(config-if)# exit
第七步 在R1上Ping R3的10.0.0.3接口进行测试
R1# debug ip packet detail
IP packet debugging is on (detailed)
R1# ping 10.0.0.3
R1# debug ip packet detail
IP packet debugging is on (detailed)
R1# ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!
*Mar 1 00:13:18.611: IP: s=192.168.0.2 (Serial2/1), d=224.0.0.10, len 60, rcvd 2, proto=88
*Mar 1 00:13:19.443: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:19.443: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.447: ICMP type=8, code=0
*Mar 1 00:13:19.447: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/144/188 ms
R1#
*Mar 1 00:13:19.627: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:19.627: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:19.631: ICMP type=0, code=0
*Mar 1 00:13:19.635: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:19.635: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.635: ICMP type=8, code=0
*Mar 1 00:13:19.635: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:19.695: IP: s=192.168.0.1 (local), d=224.0.0.10 (Serial2/1), len 60, sending broad/multicast, proto=88
*Mar 1 00:13:19.767: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:19.767: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:19.771: ICMP type=0, code=0
*Mar 1 00:13:19.775: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), route
R1#d via FIB
*Mar 1 00:13:19.775: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.775: ICMP type=8, code=0
*Mar 1 00:13:19.779: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:19.939: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:19.939: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:19.943: ICMP type=0, code=0
*Mar 1 00:13:19.947: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:19.947: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.947: ICMP type=8, code=0
*Mar 1 00:13:19.947: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:20.079: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:20.079: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*M
R1#ar 1 00:13:20.083: ICMP type=0, code=0
*Mar 1 00:13:20.087: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:20.087: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:20.087: ICMP type=8, code=0
*Mar 1 00:13:20.087: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:20.171: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:20.171: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:20.175: ICMP type=0, code=0
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!
*Mar 1 00:13:18.611: IP: s=192.168.0.2 (Serial2/1), d=224.0.0.10, len 60, rcvd 2, proto=88
*Mar 1 00:13:19.443: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:19.443: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.447: ICMP type=8, code=0
*Mar 1 00:13:19.447: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/144/188 ms
R1#
*Mar 1 00:13:19.627: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:19.627: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:19.631: ICMP type=0, code=0
*Mar 1 00:13:19.635: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:19.635: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.635: ICMP type=8, code=0
*Mar 1 00:13:19.635: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:19.695: IP: s=192.168.0.1 (local), d=224.0.0.10 (Serial2/1), len 60, sending broad/multicast, proto=88
*Mar 1 00:13:19.767: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:19.767: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:19.771: ICMP type=0, code=0
*Mar 1 00:13:19.775: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), route
R1#d via FIB
*Mar 1 00:13:19.775: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.775: ICMP type=8, code=0
*Mar 1 00:13:19.779: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:19.939: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:19.939: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:19.943: ICMP type=0, code=0
*Mar 1 00:13:19.947: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:19.947: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:19.947: ICMP type=8, code=0
*Mar 1 00:13:19.947: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:20.079: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:20.079: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*M
R1#ar 1 00:13:20.083: ICMP type=0, code=0
*Mar 1 00:13:20.087: IP: tableid=0, s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), routed via FIB
*Mar 1 00:13:20.087: IP: s=10.0.0.1 (local), d=10.0.0.3 (Tunnel0), len 100, sending
*Mar 1 00:13:20.087: ICMP type=8, code=0
*Mar 1 00:13:20.087: IP: s=192.168.0.1 (Tunnel0), d=172.16.0.3 (Serial2/1), len 124, sending, proto=47
*Mar 1 00:13:20.171: IP: tableid=0, s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), routed via RIB
*Mar 1 00:13:20.171: IP: s=10.0.0.3 (Tunnel0), d=10.0.0.1 (Tunnel0), len 100, rcvd 3
*Mar 1 00:13:20.175: ICMP type=0, code=0
第八步 配置EIGRP AS200通过Tunnel0建立邻接关系
R1(config)# router eigrp 200
R1(config-router)# net 10.0.0.0
R1(config)# router eigrp 200
R1(config-router)# net 10.0.0.0
R3(config)#
router eigrp 200
R3(config-router)# net 10.0.0.0
R3(config-router)# net 10.0.0.0
第九步 在R1上查看EIGRP邻接关系
R1# show ip eigrp nei
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.0.2 Se2/1 14 00:10:45 152 912 0 3
IP-EIGRP neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.0.3 Tu0 12 00:00:59 163 5000 0 2
R1#
// R1通过Tunnel 0已经与R2建立了邻接关系
R1# show ip eigrp nei
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.0.2 Se2/1 14 00:10:45 152 912 0 3
IP-EIGRP neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.0.3 Tu0 12 00:00:59 163 5000 0 2
R1#
// R1通过Tunnel 0已经与R2建立了邻接关系