CCNP综合实验-
实验top如下:
实验需求:
1:R3,R4做NAT,R3 E0/1做出口,R4 E0/0做出口。
2:R3,R4,R5,R7,R8做OSPF,R3,R4,R5,R7做frame-relay,R7做FR交换机。
3:8.8.8.8达到1.1.1.1从R3出去,被转换成公网地址3.3.3.3。
8.8.8.9达到1.1.1.1从R4出去,被转换成公网地址4.4.4.4。
192.168.8.1达到1.1.1.1可以从R3也可以从R4出去。
4:R8到1.1.1.1的流量大于1000bytes从R4走,小于1000bytes从R3走。
5:OSPF内做区域认证。
本实验完整配置:
R1# show run
hostname R1
no ip domain lookup
!
!
ip cef
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.12.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 192.168.16.1 255.255.255.0
half-duplex
router bgp 100
no synchronization关掉BGP同步,是BGP与IGP的同步,也是为了避免路由黑洞
bgp router-id 1.1.1.1
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 192.168.12.2 remote-as 200
neighbor 192.168.16.6 remote-as 400
maximum-paths 2//两条路径可以负载均衡,范围1-6条
no auto-summary
R2:
R2#show run
hostname R2
no ip domain lookup
ip cef
interface Ethernet0/0
ip address 192.168.12.2 255.255.255.0
half-duplex
interface Ethernet0/1
ip address 192.168.23.2 255.255.255.0
half-duplex
router bgp 200
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
network 192.168.12.0
network 192.168.23.0
neighbor 192.168.12.1 remote-as 100
neighbor 192.168.23.3 remote-as 300
no auto-summary
R3:
R3#show run
hostname R3
!
no ip domain lookup
ip cef
interface Loopback0
ip address 3.3.3.3 255.255.255.0
ip virtual-reassembly
interface Ethernet0/1
ip address 192.168.23.3 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
interface Serial1/0
ip address 192.168.1.3 255.255.255.0
ip nat inside
ip virtual-reassembly
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco/区域认证接口下启用认证使用MD5加密。
ip ospf network broadcast/在NBMA网络中,于接口下定义OSPF网络类型为广播
serial restart-delay 0
frame-relay map ip 192.168.1.4 304 broadcast/定义FR PVC,支持广播
frame-relay map ip 192.168.1.5 305 broadcast
no frame-relay inverse-arp/关掉FR反向ARP
router ospf 1
log-adjacency-changes
area 0 authentication message-digest/开启区域验证,加密模式为散列哈希
network 3.3.3.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
default-information originate /ASBR发布一条路认默认,如果不加always参数,必须要手工写一条静态默认路由才能在OSPF区域内自动发布一条指向ASBR的默认路由
router bgp 300
no synchronization
bgp router-id 3.3.3.3
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0/通告BGP路由,BGP必须手动通告路由并指定邻居。
network 192.168.1.0
network 192.168.23.0
redistribute ospf 1
neighbor 192.168.1.4 remote-as 300
neighbor 192.168.1.4 next-hop-self/以于IBGP,下一跳就是自己,因为共处同一个AS里面,BGP是以AS为跳,不同于RIP,因此也叫
à路径矢量路由协议
neighbor 192.168.23.2 remote-as 200
neighbor 192.168.23.2 route-map 3 out/关联Route-map,对于向邻居发送出去的BGP路由信息对属性进行修改并过滤。
no auto-summary
ip nat inside source route-map map interface Ethernet0/1 overload/利用PBR来做PAT
ip nat inside source static 8.8.8.8 3.3.3.3/静态NAT
access-list 1 permit 8.8.8.9
access-list 1 permit 192.168.8.1
access-list 3 permit 4.4.4.0 0.0.0.255
route-map 3 permit 10
match ip address 3
set as-path prepend 1000 10001/利用PBR修改BGP路由条目AS-PATH属性
route-map 3 permit 20
route-map map permit 10
match ip address 1
R4:
hostname R4
no ip domain lookup
ip cef
interface Loopback0
ip address 4.4.4.4 255.255.255.0
ip virtual-reassembly
interface Ethernet0/0
ip address 192.168.46.4 255.255.255.0
ip nat outside
ip virtual-reassembly
interface Serial1/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
ip virtual-reassembly
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf network broadcast
serial restart-delay 0
frame-relay map ip 192.168.1.3 403 broadcast
frame-relay map ip 192.168.1.5 405 broadcast
no frame-relay inverse-arp
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
redistribute bgp 300 subnets
network 4.4.4.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
default-information originate always/自动向OSPF域发布一条静态默认,不必手工生成。
如:O*E2 0.0.0.0/0 [110/1] via 192.168.1.4, 06:16:55, Serial1/0
router bgp 300
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
network 4.4.4.0 mask 255.255.255.0
network 192.168.1.0
network 192.168.46.0
redistribute ospf 1
neighbor 192.168.1.3 remote-as 300
neighbor 192.168.1.3 next-hop-self
neighbor 192.168.46.6 remote-as 400
neighbor 192.168.46.6 route-map 3 out
no auto-summary
ip nat inside source route-map map interface Ethernet0/0 overload
ip nat inside source static 8.8.8.9 4.4.4.4
access-list 1 permit 8.8.8.8
access-list 1 permit 192.168.8.1
access-list 3 permit 3.3.3.0 0.0.0.255
route-map 3 permit 10
match ip address 3
set as-path prepend 1000 1001
route-map 3 permit 20
route-map map permit 10
match ip address 1
R5:
R5#show run
hostname R5
no ip domain lookup
ip cef
interface Ethernet0/0
ip address 192.168.5.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
ip policy route-map car/PBR策略路由在接口下应用,只能应用在入接口与本地路由全局
half-duplex
!
interface Serial1/0
ip address 192.168.1.5 255.255.255.0
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
ip ospf network broadcast
serial restart-delay 0
frame-relay map ip 192.168.1.3 503 broadcast
frame-relay map ip 192.168.1.4 504 broadcast
no frame-relay inverse-arp
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 192.168.1.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
ip ospf name-lookup
access-list 101 permit ip host 8.8.8.8 host 1.1.1.1
access-list 101 permit ip host 8.8.8.9 host 1.1.1.1
access-list 101 permit ip 192.168.8.0 0.0.0.255 host 1.1.1.1
route-map car permit 10
match ip address 101
match length 0 1000/PBR来进行流量控制
set ip next-hop 192.168.1.3
route-map car permit 20
match ip address 101
match length 1000 1500
set ip next-hop 192.168.1.4
route-map car permit 30
R6:
R6#show run
hostname R6
no ip domain lookup
ip cef
interface Ethernet0/0
ip address 192.168.46.6 255.255.255.0
half-duplex
interface Ethernet0/1
ip address 192.168.16.6 255.255.255.0
half-duplex
router bgp 400
no synchronization
bgp router-id 6.6.6.6
bgp log-neighbor-changes
network 192.168.16.0
network 192.168.46.0
neighbor 192.168.16.1 remote-as 100
neighbor 192.168.46.4 remote-as 300
no auto-summary
R7(FR):
FR#show run
hostname FR
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
frame-relay switching
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clockrate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 304 interface Serial0/1 403 /PVC,FR路由,
frame-relay route 305 interface Serial0/2 503
!
interface Serial0/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clockrate 64000
frame-relay intf-type dce
frame-relay route 403 interface Serial0/0 304
frame-relay route 405 interface Serial0/2 504
!
interface Serial0/2
no ip address
encapsulation frame-relay
serial restart-delay 0
clockrate 64000
frame-relay intf-type dce
frame-relay lmi-type cisco /lmi local management identifiled本地管理标识,对于接口地址的LMI需要在FR交换机与用户路由器接口之间的类型要一致,cisco默认为cisco,一共有三种lmi:
1,ansi,2,cisco,3,q933a.
frame-relay route 503 interface Serial0/0 305
frame-relay route 504 interface Serial0/1 405
R8:
R8#show run
hostname R8
no ip domain lookup
ip cef
interface Loopback0
ip address 8.8.8.9 255.255.255.0 secondary
ip address 192.168.8.1 255.255.255.0 secondary
ip address 8.8.8.8 255.255.255.0
interface Ethernet0/0
ip address 192.168.5.8 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 8.8.8.0 0.0.0.255 area 0
network 192.168.8.0 0.0.0.255 area 0
network 0.0.0.0 255.255.255.255 area 0
配置没有问题之后,我们就可以测试一下,是否跟我们需求符合,主要有三个地方要测试,
1,全网互通测试,
2,NAT测试
3,“流量牵引”测试
4,PBR修改BGP属性测试
不做优化时出现的问题:
R1对于R3,R4 lo 0,3.3.3.3,4.4.4.4的学习可能是从192.168.12.2或192.168.16.6,但是对于用于NAT转换的静态地址来说,这不是好征兆,因为当我们要实现上述几个需求时,你会发现这样总是会有一方PING不通1.1.1.1的地址,虽然他也满足流量牵引策略,因为他去包与回包路径不一致,而我们这个环境却不允许这样NAT转换。所以只能去做BGP路由优化,把NAT转换后去包与回包的路径固定(对于3.3.3.3来说,R1始终应走R2为下一跳为最优路径,从R6走到了R4会被drop掉,因为内网地址从R3以3.3.3.3转换出去,而R4上其实是没有相应3.3.3.3与内网NAT映射的)。故需要BGP选路进行控制,此处我做的是在R3,R4上控制相应路由的AS-PATH属性来控制R1选路的。
全网是否互通:
R8#ping 1.1.1.1 source 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 224/327/516 ms
显然是通的。
NAT测试:
R8#ping 192.168.12.1 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 404/520/680 ms
R3#
*Mar 1 06:42:59.650: NAT: s=8.8.8.8->3.3.3.3, d=192.168.12.1 [669]
*Mar 1 06:42:59.826: NAT: s=192.168.12.1, d=3.3.3.3->8.8.8.8 [669]
*Mar 1 06:42:59.882: NAT: s=8.8.8.8->3.3.3.3, d=192.168.12.1 [670]
*Mar 1 06:43:00.174: NAT: s=192.168.12.1, d=3.3.3.3->8.8.8.8 [670]
*Mar 1 06:43:00.290: NAT: s=8.8.8.8->3.3.3.3, d=192.168.12.1 [671]
*Mar 1 06:43:00.526: NAT: s=192.168.12.1, d=3.3.3.3->8.8.8.8 [671]
R3#
*Mar 1 06:44:00.690: NAT: expiring 3.3.3.3 (8.8.8.8) icmp 138 (138)
R8#ping 192.168.46.6 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.46.6, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/215/380 ms
R8#
R4#
*Mar 1 06:50:59.902: NAT*: s=8.8.8.8->192.168.46.4, d=192.168.46.6 [687]
*Mar 1 06:51:00.026: NAT*: s=192.168.46.6, d=192.168.46.4->8.8.8.8 [687]
*Mar 1 06:51:00.238: NAT*: s=8.8.8.8->192.168.46.4, d=192.168.46.6 [688]
*Mar 1 06:51:00.246: NAT*: s=192.168.46.6, d=192.168.46.4->8.8.8.8 [688]
*Mar 1 06:51:00.366: NAT*: s=8.8.8.8->192.168.46.4, d=192.168.46.6 [689]
*Mar 1 06:51:00.514: NAT*: s=192.168.46.6, d=192.168.46.4->8.8.8.8 [689]
*Mar 1 06:51:00.518: NAT*: s=8.8.8.8->192.168.46.4, d=192.168.46.6 [690]
*Mar 1 06:51:00.582: NAT*: s=192.168.46.6, d=192.168.46.4->8.8.8.8 [690]
*Mar 1 06:51:00.902: NAT*: s=8.8.8.8->192.168.46.4, d=192.168.46.6 [691]
R4#
*Mar 1 06:51:00.938: NAT*: s=192.168.46.6, d=192.168.46.4->8.8.8.8 [691]
R4#
转换成功
流量牵引测试:
当R8上去往公网地址1.1.1.1流量大于1000bites时,下一跳走R4
R8#ping 1.1.1.1 size 1001 source 8.8.8.8
Type escape sequence to abort.
Sending 5, 1001-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/297/336 ms
R4#
*Mar 1 06:48:11.386: NAT*: s=8.8.8.8->192.168.46.4, d=1.1.1.1 [677]
*Mar 1 06:48:11.550: NAT*: s=1.1.1.1, d=192.168.46.4->8.8.8.8 [677]
*Mar 1 06:48:11.686: NAT*: s=8.8.8.8->192.168.46.4, d=1.1.1.1 [678]
*Mar 1 06:48:11.854: NAT*: s=1.1.1.1, d=192.168.46.4->8.8.8.8 [678]
*Mar 1 06:48:11.886: NAT*: s=8.8.8.8->192.168.46.4, d=1.1.1.1 [679]
*Mar 1 06:48:12.018: NAT*: s=1.1.1.1, d=192.168.46.4->8.8.8.8 [679]
*Mar 1 06:48:12.198: NAT*: s=8.8.8.8->192.168.46.4, d=1.1.1.1 [680]
*Mar 1 06:48:12.206: NAT*: s=1.1.1.1, d=192.168.46.4->8.8.8.8 [680]
R4#
*Mar 1 06:48:12.574: NAT*: s=8.8.8.8->192.168.46.4, d=1.1.1.1 [681]
*Mar 1 06:48:12.678: NAT*: s=1.1.1.1, d=192.168.46.4->8.8.8.8 [681]
R8#ping 1.1.1.1 size 1001 source 8.8.8.9
Type escape sequence to abort.
Sending 5, 1001-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.9
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/222/312 ms
R4#
*Mar 1 06:49:43.506: NAT*: s=8.8.8.9->4.4.4.4, d=1.1.1.1 [682]
*Mar 1 06:49:43.750: NAT*: s=1.1.1.1, d=4.4.4.4->8.8.8.9 [682]
*Mar 1 06:49:43.874: NAT*: s=8.8.8.9->4.4.4.4, d=1.1.1.1 [683]
*Mar 1 06:49:43.930: NAT*: s=1.1.1.1, d=4.4.4.4->8.8.8.9 [683]
*Mar 1 06:49:44.002: NAT*: s=8.8.8.9->4.4.4.4, d=1.1.1.1 [684]
*Mar 1 06:49:44.106: NAT*: s=1.1.1.1, d=4.4.4.4->8.8.8.9 [684]
*Mar 1 06:49:44.202: NAT*: s=8.8.8.9->4.4.4.4, d=1.1.1.1 [685]
*Mar 1 06:49:44.330: NAT*: s=1.1.1.1, d=4.4.4.4->8.8.8.9 [685]
*Mar 1 06:49:44.414: NAT*: s=8.8.8.9->4.4.4.4, d=1.1.1.1 [686]
*Mar 1 06:49:44.454: NAT*: s=1.1.1.1, d=4.4.4.4->8.8.8.9 [686]
R4#
当流量小于1000bytes时,R8上的流量就需要改走R3为下一跳了,
R8#ping 1.1.1.1 size 800 source 8.8.8.8
Type escape sequence to abort.
Sending 5, 800-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/332/468 ms
R8#
R8#ping 1.1.1.1 size 800 source 8.8.8.9
Type escape sequence to abort.
Sending 5, 800-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.9
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 192/273/492 ms
R8#
R3#
*Mar 1 06:54:00.522: NAT*: s=8.8.8.8->3.3.3.3, d=1.1.1.1 [692]
*Mar 1 06:54:00.734: NAT*: s=1.1.1.1, d=3.3.3.3->8.8.8.8 [692]
*Mar 1 06:54:00.958: NAT*: s=8.8.8.8->3.3.3.3, d=1.1.1.1 [693]
*Mar 1 06:54:01.118: NAT*: s=1.1.1.1, d=3.3.3.3->8.8.8.8 [693]
*Mar 1 06:54:01.158: NAT*: s=8.8.8.8->3.3.3.3, d=1.1.1.1 [694]
*Mar 1 06:54:01.226: NAT*: s=1.1.1.1, d=3.3.3.3->8.8.8.8 [694]
*Mar 1 06:54:01.350: NAT*: s=8.8.8.8->3.3.3.3, d=1.1.1.1 [695]
R3#
*Mar 1 06:54:01.598: NAT*: s=1.1.1.1, d=3.3.3.3->8.8.8.8 [695]
*Mar 1 06:54:01.746: NAT*: s=8.8.8.8->3.3.3.3, d=1.1.1.1 [696]
*Mar 1 06:54:01.886: NAT*: s=1.1.1.1, d=3.3.3.3->8.8.8.8 [696]
R3#
*Mar 1 06:54:09.982: NAT*: s=8.8.8.9->192.168.23.3, d=1.1.1.1 [697]
*Mar 1 06:54:10.238: NAT*: s=1.1.1.1, d=192.168.23.3->8.8.8.9 [697]
*Mar 1 06:54:10.514: NAT*: s=8.8.8.9->192.168.23.3, d=1.1.1.1 [698]
*Mar 1 06:54:10.638: NAT*: s=1.1.1.1, d=192.168.23.3->8.8.8.9 [698]
*Mar 1 06:54:10.734: NAT*: s=8.8.8.9->192.168.23.3, d=1.1.1.1 [699]
*Mar 1 06:54:10.834: NAT*: s=1.1.1.1, d=192.168.23.3->8.8.8.9 [699]
*Mar 1 06:54:10.874: NAT*: s=8.8.8.9->192.168.23.3, d=1.1.1.1 [700]
R3#
*Mar 1 06:54:11.050: NAT*: s=1.1.1.1, d=192.168.23.3->8.8.8.9 [700]
*Mar 1 06:54:11.078: NAT*: s=8.8.8.9->192.168.23.3, d=1.1.1.1 [701]
*Mar 1 06:54:11.198: NAT*: s=1.1.1.1, d=192.168.23.3->8.8.8.9 [701]
当然所有一切顺得进行都是在BGP属性修改之后进行的,怎样修改BGP的AS-PATH来使R1走最优的路径呢?首先来了解一下,AS-PATH有何作用:它可以修改被修改,而且是个“公认必尊”的属性也就是每条路由通告给邻居时都必需要携带这个属性,它的作用可以用来选路也可以用来防环(当路由器收到一条携带自己AS号的路由时会drop掉这条可能造成路由环路的条目,保持BGP的稳定与健壮性。
做法:如R1对于去往3.3.3.3的路由从R2学到,4.4.4.4的路由在本实验环境中是要让他从R6学到的,但他却是从R2学到的变成了最优放入路由表,而数据最终转换看的只是路由表里的条目,因此我们想让从R3传递过去的4.4.4.4路由条目比从R4本身传给R14.4.4.4路由条目的可靠性差,让R1经过一番属性优劣权衡之后选择走R6去往4.4.4.4.这也是我们期望的。那R1为什么会相信呢,它通过比较AS-PATH得出的结果,因为4.4.4.4从源通告之后再传到BGP是需要经过许多AS的。而每经过一个AS,路由器都会把自己与之前的AS一起发给EBGP邻居,这样经过的AS越多,可靠性自然会降低,那么我们就在R3上做PBR来控制4.4.4.4AS-PATH的通告,让它劣于从R4
àR6
àR1的4.4.4.4的路由就可以了。
当然对R4传给R1的3.3.3.3同样也可以用类似做法。
router bgp 300
no synchronization
bgp router-id 3.3.3.3
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0
network 192.168.1.0
network 192.168.23.0
redistribute ospf 1
neighbor 192.168.1.4 remote-as 300
neighbor 192.168.1.4 next-hop-self
neighbor 192.168.23.2 remote-as 400
neighbor 192.168.23.2 route-map 3 out
access-list 3 permit 4.4.4.0
route-map 3 permit 10
match ip address 3
set as-path 1000 1001
exit
route-map 3 permit 20
exit
这样就做好了,可以在R1上去查看一下AS号是不是多追加了两个?
*> 3.3.3.0/24
192.168.12.2 0 200 300 i
*
192.168.16.6 0 400 300 1000 1001 i
*> 3.3.3.3/32
192.168.12.2 0 200 300 ?
*
192.168.16.6 0 400 300 1000 1001 ?
好了,今天的实验就说到这里,欢迎各位指教,不胜荣幸。