实验要求:
R1、R2是A公司的设备,内网起RIPV2,R3、R4是B公司的设备,内网起EIGRP,R5、R6、R7、R8是C公司设备,内网起OSPF。C公司吞并了A、B两公司。原本C公司通过电信4M带宽上网,合并后,网关R8又向网通申请了2M带宽,作为原本A、B两家公司使用。
1、 每个公司内部起好相应协议,其中RIP要求采用单播更新,不要向不必要的接口通告路由更新,关闭RIPV2和EIGRP自动汇总;
2、 确保合并后整个内网完全可达;
3、 要求尽量减少OSPF区域1的路由条目数量,尽量减少网关R8上的路由条目;
4、 尽量减少R3上学到的EIGRP条目数;
5、 R1性能不足,确保其只是从原C公司学到一条默认路由;
6、 确保C公司内网访问ISP的WEB服务器是走电信的200.1.1.0/24网段,而A、B公司是走网通的202.1.1.0/24网段,并相互做备份。
实验拓扑:
实验步骤:
1、配置相应的路由协议
R1、R2起RIP协议,R3、R4起EIGRP协议,R2、R4~R8起OSPF协议。
R1:
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#net 192.168.2.0
R1(config-router)#net 192.168.1.0
R2:
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#no auto-summary
R2(config-router)#net 192.168.2.0
R2(config-router)#router ospf 1
R2(config-router)#net 10.1.6.2 0.0.0.0 a 0
R3:
R3(config)#router eigrp 1
R3(config-router)#no auto-summary
R3(config-router)#net 172.16.0.0
R4:
R4(config)#router eigrp 1
R4(config-router)#no auto-summary
R4(config-router)#net 172.16.0.0
R4(config-router)#router ospf 1
R4(config-router)#net 10.1.5.2 0.0.0.0 a 0
R5:
R5(config)#router ospf 1
R5(config-router)#net 10.1.6.1 0.0.0.0 a 0
R5(config-router)#net 10.1.5.1 0.0.0.0 a 0
R5(config-router)#net 10.1.4.1 0.0.0.0 a 0
R5(config-router)#net 10.1.7.2 0.0.0.0 a 0
R6:
R6(config)#router ospf 1
R6(config-router)#net 10.1.4.2 0.0.0.0 a 0
R6(config-router)#net 10.1.3.1 0.0.0.0 a 1
R7:
R7(config)#router ospf 1
R7(config-router)#net 10.1.3.2 0.0.0.0 a 1
R7(config-router)#net 10.1.1.1 0.0.0.0 a 1
R7(config-router)#net 10.1.2.1 0.0.0.0 a 1
R8:
R8(config)#router ospf 1
R8(config-router)#net 10.1.7.1 0.0.0.0 a 0
R8(config-router)#default-information original //在网关上配置OSPF默认路由
2、配置RIP被动接口和单播更新
R1:
R1(config)#router rip
R1(config-router)#passive-interface default //设置路由器所有接口为被动接口
R1(config-router)#neighbor 192.168.2.1
R2:
R2(config)#router rip
R1(config-router)#passive-interface default
R2(config-router)#neighbor 192.168.2.2
查看单播更新:
R2#debug ip rip
RIP protocol debugging is on
R2#
*Mar 1 00:56:02.095: RIP: received v2 update from 192.168.2.2 on FastEthernet0/0
*Mar 1 00:56:02.095: 192.168.1.0/24 via 0.0.0.0 in 1 hops
*Mar 1 00:56:02.523: RIP: sending v2 update to 192.168.2.2 via FastEthernet0/0 (192.168.2.1)
*Mar 1 00:56:02.523: RIP: build update entries
*Mar 1 00:56:02.523: 0.0.0.0/0 via 0.0.0.0, metric 3, tag 0
R1#debug ip rip
RIP protocol debugging is on
R1#
*Mar 1 00:55:26.711: RIP: received v2 update from 192.168.2.1 on FastEthernet0/0
*Mar 1 00:55:26.711: 0.0.0.0/0 via 0.0.0.0 in 3 hops
*Mar 1 00:55:26.739: RIP: sending v2 update to 192.168.2.1 via FastEthernet0/0 (192.168.2.2)
*Mar 1 00:55:26.739: RIP: build update entries
*Mar 1 00:55:26.739: 192.168.1.0/24 via 0.0.0.0, metric 1, tag 0
3、进行IGP重分发
由于重分发时要确保A、B公司只学到C公司的一条默认路由,所以要在重分发时配置路由策略,将不必要的路由条目过滤掉。
R2:
R2(config)#ip prefix-list 1 permit 0.0.0.0/0 //建立前缀列表1,只允许0.0.0.0/0的默认路由
R2(config)#route-map sovand permit 10 //建立名为sovand的route-map,设为允许,编号为10
R2(config-route-map)#match ip add prefix-list 1 //在route-map中匹配前缀列表1
R2(config)#router rip
R2(config-router)#redistribute ospf 1 metric 3 route-map sovand //重分发进RIP时设置度量值为3跳,并引用route-map
R2(config)#router ospf 1
R2(config-router)#redistribute rip subnets //将RIP重分发进OSPF,要加上subnets参数
R4:
R4(config)#ip prefix-list 1 permit 0.0.0.0/0
R4(config)#route-map sovand permit 10
R4(config-route-map)#match ip add prefix-list 1
R4(config)#router eigrp 1
R4(config-router)#redistribute ospf 1 metric 1000 33 255 1 1500 route-map sovand
//将ospf重分发进EIGRP,度量设为1000 33 255 1 1500,引用router-map
R4(config)#router ospf 1
R4(config-router)#redistribute eigrp 1 subnets //将EIGRP重分发进OSPF
查看R1、R3路由表:
R1#show ip rou rip
R* 0.0.0.0/0 [120/3] via 192.168.2.1, 00:00:26, FastEthernet0/0
R3#show ip rou eigrp
D*EX 0.0.0.0/0 [170/2571008] via 172.16.2.1, 00:25:04, FastEthernet0/0
3、配置OSPF区域汇总:
因为R2、R4属于自治区域边界路由器,发送的是5类LSA,因此需要在R2、R4上进行ASBR汇总。R6属于区域边界路由器,发送3类LSA,因此在R6上进行ABR汇总。
R2(config-router)#summary-address 192.168.0.0 255.255.252.0
R4(config-router)#summary-address 172.16.0.0 255.255.252.0
R6(config-router)#area 0 range 10.1.0.0 255.255.248.0
R6(config-router)#area 1 range 10.1.0.0 255.255.252.0
查看汇总后的路由表:
R7#show ip rou os
172.16.0.0/22 is subnetted, 1 subnets
O E2 172.16.0.0 [110/20] via 10.1.3.1, 00:29:45, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA 10.1.0.0/21 [110/2] via 10.1.3.1, 00:30:00, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.1.3.1, 00:29:45, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.1.3.1, 00:29:45, FastEthernet0/0
R8#show ip rou os
172.16.0.0/22 is subnetted, 1 subnets
O E2 172.16.0.0 [110/20] via 10.1.7.2, 00:35:25, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O IA 10.1.0.0/22 [110/3] via 10.1.7.2, 00:35:25, FastEthernet0/0
O 10.1.6.0/24 [110/2] via 10.1.7.2, 00:35:25, FastEthernet0/0
O 10.1.5.0/24 [110/2] via 10.1.7.2, 00:35:25, FastEthernet0/0
O 10.1.4.0/24 [110/2] via 10.1.7.2, 00:35:25, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.1.7.2, 00:35:25, FastEthernet0/0
查看OSPF数据库:
R6#show ip os database
OSPF Router with ID (10.1.4.2) (Process ID 1)
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.0.0 10.1.4.2 442 0x80000002 0x0069B8
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
10.1.0.0 10.1.4.2 443 0x80000002 0x0055D0
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 202.1.1.1 402 0x80000002 0x0003E0 1
172.16.0.0 172.16.2.1 676 0x80000002 0x00AA7B 0
192.168.0.0 192.168.2.1 504 0x80000002 0x0005C7 0
4、在网关R8上启用PAT并做备份
首先建立两个标准访问控制列表,分别允许A、B公司和C公司的网段。
R8(config)#access-list 1 permit 10.1.0.0 0.0.255.255
R8(config)#access-list 2 permit 172.16.0.0 0.0.255.255
R8(config)#access-list 2 permit 192.168.0.0 0.0.255.255
配置S1/0出口的备份路由策略:
R8(config)#route-map sovand permit 1 //建立名为sovand的route-map
R8(config-route-map)#match int s1/0 //匹配出口s1/0
R8(config)#route-map sovand2 permit 1 //建立名为sovand2的route-map
R8(config-route-map)#match int s1/1 //匹配出口s1/1
配置S1/1出口的备份路由策略:
R8(config)#route-map cisco permit 1
R8(config-route-map)#match int s1/0
R8(config)#route-map cisco2 permit 1
R8(config-route-map)#match int s1/1
配置出口地址复用,调用route-map:
R8(config)#ip nat inside source route-map sovand int s1/0 overload
R8(config)#ip nat inside source route-map sovand2 int s1/1 overload
R8(config)#ip nat inside source route-map cisco int s1/0 overload
R8(config)#ip nat inside source route-map cisco2 int s1/1 overload
配置默认路由:
R8(config)#ip route 0.0.0.0 0.0.0.0 s1/0
R8(config)#ip route 0.0.0.0 0.0.0.0 s1/1
配置选路route-map:
R8(config)#route-map pbr permit 10 //创建名为pbr,编号为10的route-map
R8(config-route-map)#match ip address 1 //匹配访问控制列表1
R8(config-route-map)#set int s1/0 //设置出接口为s1/0
R8(config)#route-map pbr permit 30 //在名字pbr的基础上添加一个编号30的route-map
R8(config-route-map)#match ip address 2 //匹配访问控制列表2
R8(config-route-map)#set int s1/1 //设置出接口为s1/1
在入口上配置NAT和PBR以进行出口选路:
R8(config)#int f0/0
R8(config-if)#ip nat inside
R8(config-if)#ip policy route-map pbr //在PBR上调用名为pbr的route-map
在出口上配置NAT:
R8(config)#int s1/0
R8(config-if)#ip nat outside
R8(config)#int s1/1
R8(config-if)#ip nat outside
查看ACL:
R8#show ip access-lists
Standard IP access list 1
10 permit 10.1.0.0, wildcard bits 0.0.255.255 (456 matches)
Standard IP access list 2
10 permit 172.16.0.0, wildcard bits 0.0.255.255 (11 matches)
20 permit 192.168.0.0, wildcard bits 0.0.255.255 (11 matches)
查看路由图:
R8#show route-map
route-map sovand, permit, sequence 1
Match clauses:
interface Serial1/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map sovand2, permit, sequence 1
Match clauses:
interface Serial1/1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map cisco, permit, sequence 2
Match clauses:
interface Serial1/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map cisco2, permit, sequence 2
Match clauses:
interface Serial1/1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map pbr, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
interface Serial1/0
Policy routing matches: 8 packets, 696 bytes
route-map pbr, permit, sequence 30
Match clauses:
ip address (access-lists): 2
Set clauses:
interface Serial1/1
Policy routing matches: 16 packets, 1392 bytes
查看NAT:
R8#show ip nat st
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial1/0, Serial1/1
Inside interfaces:
FastEthernet0/0
Hits: 34 Misses: 12
CEF Translated packets: 39, CEF Punted packets: 14
Expired translations: 12
Dynamic mappings:
-- Inside Source
[Id: 1] route-map cisco interface Serial1/0 refcount 0
[Id: 2] route-map cisco2 interface Serial1/1 refcount 0
[Id: 3] route-map sovand interface Serial1/0 refcount 0
[Id: 4] route-map sovand2 interface Serial1/1 refcount 0
Queued Packets: 0
查看PBR:
R8#show ip policy
Interface Route map
Fa0/0 pbr
验证结果:
R8#show ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 200.1.1.1:0 10.1.3.2:0 210.1.1.1:0 210.1.1.1:0
icmp 202.1.1.1:1 172.16.2.2:0 210.1.1.1:0 210.1.1.1:1
icmp 202.1.1.1:0 192.168.2.2:0 210.1.1.1:0 210.1.1.1:0
我们可以发现172.16.0.0网段(B公司)和192.168.0.0网段(A公司)出口地址是202.1.1.1,出接口为s1/1,即使用的是网通专线。10.1.0.0网段(C公司)出口地址是200.1.1.1,出接口为s1/0,即使用的是电信专线。
现将s1/0接口shut掉(模拟电信专线故障),观察结果:
R8#show ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 202.1.1.1:0 10.1.3.2:0 210.1.1.1:0 210.1.1.1:0
icmp 202.1.1.1:1 172.16.2.2:0 210.1.1.1:0 210.1.1.1:1
icmp 202.1.1.1:0 192.168.2.2:0 210.1.1.1:0 210.1.1.1:0
可发现所有网段全部走s1/1出口,即网通专线,实现了备份的要求。
将s1/0接口开启,再将s1/1出口shut掉(模拟网通专线故障),观察结果:
R8#show ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 200.1.1.1:0 10.1.3.2:0 210.1.1.1:0 210.1.1.1:0
icmp 200.1.1.1:1 172.16.2.2:0 210.1.1.1:0 210.1.1.1:1
icmp 200.1.1.1:0 192.168.2.2:0 210.1.1.1:0 210.1.1.1:0
这时所有网段全部走s1/0出口,即电信专线。
实验成功!