實驗說明
網路拓撲
實驗任務及配置
網路劃分
| 部門 | 網段 | VLAN | 網關 |
|---|---|---|---|
| 市場部(30人) | 192.168.10.0/26 | Vlan 10 | 192.168.10.62 |
| 銷售部(13人) | 192.168.10.128/28 | Vlan 20 | 192.168.10.142 |
| 運維部(3人) | 192.168.10.144/29 | Vlan 11 | 192.168.10.150 |
| 開發部(40人) | 192.168.10.64/26 | Vlan 21 | 192.168.10.126 |
| 上海辦事處(20人) | 192.168.20.0/24 | Vlan 12 | 192.168.20.254 |
| 資料中心 | 210.28.91.0/24 | Vlan 61 | 210.28.91.254 |
| 市場部(IPV6) | 2001:250:a160:4::/64 | 2001:250:a160:4::2 | |
| 銷售部(IPV6) | 2001:250:a160:5::/64 | 2001:250:a160:5::2 | |
| 運維部(IPV6) | 2001:250:a160:6::/64 | 2001:250:a160:6::2 | |
| 開發部(IPV6) | 2001:250:a160:7::/64 | 2001:250:a160:7::2 | |
| 上海辦事處(IPV6) | 2001:250:a160:1::/64 | 2001:250:a160:1::2 | |
| 資料中心(IPV6) | 2001:250:a160:8::/64 | 2001:250:a160:8::2 | |
| R4(IPV6) | 2001:250:a160::/64 | 2001:250:a160::2 |
| 互聯 | IPV4網段 | IPV6網段 |
|---|---|---|
| R1-SW1 | 192.168.255.8/30 | 2001:250:a160:9::/64 |
| R1-SW2 | 192.168.255.12/30 | 2001:250:a160:10::/64 |
| SW1-SW2 | 192.168.255.0/30 | |
| R3-SW3 | 192.168.255.16/30 | 2001:250:a160:2::/64 |
| R1-R3 | 192.168.255.20/30 | 2001:250:a160:3::/64 |
IP及VLAN規劃
#PC1配置
VPCS> set pcname PC1
#PC2配置
Router(config)#hostname PC2
PC2(config)#interface e0/0
PC2(config-if)#no shutdown
PC2(config-if)#ip address 192.168.10.129 255.255.255.240
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.142
#PC3配置
Router(config)#hostname PC3
PC3(config)#interface e0/0
PC3(config-if)#no shutdown
PC3(config-if)#ip address 192.168.10.145 255.255.255.248
PC3(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.150
#PC4配置
VPCS> set pcname PC4
PC4> ip 192.168.10.65/26 192.168.10.126
#PC5配置
VPCS> set pcname PC5
PC5> ip 192.168.20.1/24 192.168.20.254
#SERVER配置
Router(config)#hostname SERVER
SERVER(config)#interface e0/0
SERVER(config-if)#no shutdown
SERVER(config-if)#ip address 210.28.91.1 255.255.255.0
SERVER(config)#ip route 0.0.0.0 0.0.0.0 210.28.91.254
#R4配置
Route(config)#hostname R4
R4(config)#interface e0/0
R4(config-if)#no shutdown
R4(config-if)#ipv6 address 2001:250:a160::1/64
#R1配置
Router(config)#hostname R1
R1(config)#interface e0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.255.9 255.255.255.252
R1(config-if)#interface e0/1
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.255.13 255.255.255.252
R1(config-if)#interface e0/2
R1(config-if)#no shutdown
R1(config-if)#ip address 202.226.30.5 255.255.255.252
R1(config-if)#interface e1/0
R1(config-if)#no shutdown
R1(config-if)#ip address 221.226.30.1 255.255.255.252
R1(config-if)#interface e0/3
R1(config-if)#no shutdown
R1(config-if)#ipv6 address 2001:250:a160::2/64
#R2配置
Router(config)#hostname R2
R2(config)#interface loopback0
R2(config-if)#no shutdown
R2(config-if)#ip address 8.8.8.8 255.255.255.0
R2(config-if)#interface e0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 202.226.30.6 255.255.255.252
R2(config-if)#interface e0/1
R2(config-if)#no shutdown
R2(config-if)#ip address 221.226.30.9 255.255.255.252
R2(config-if)#interface e0/2
R2(config-if)#no shutdown
R2(config-if)#ip address 221.226.30.2 255.255.255.252
#R3配置
Router(config)#hostname R3
R3(config)#interface e0/0
R3(config-if)#no shutdown
R3(config-if)#ip address 221.226.30.10 255.255.255.252
R3(config-if)#interface e0/1
R3(config-if)#no shutdown
R3(config-if)#ip address 192.168.255.17 255.255.255.252
#SW3配置
Switch(config)#hostname SW3
SW3(config)#vlan 12
SW3(config-vlan)#interface vlan 12
SW3(config-if)#no shutdown
SW3(config-if)#ip address 192.168.20.254 255.255.255.0
SW3(config-if)#interface e0/1
SW3(config-if)#no shutdown
SW3(config-if)#switchport access vlan 12
SW3(config-if)#vlan 22
SW3(config-vlan)#interface vlan 22
SW3(config-if)#no shutdown
SW3(config-if)#ip address 192.168.255.18 255.255.255.0
SW3(config-if)#interface e0/0
SW3(config-if)#no shutdown
SW3(config-if)#switchport access vlan 22
#SW1配置
Switch(config)#hostname SW1
SW1(config)#vlan 10
SW1(config-vlan)#interface vlan 10
SW1(config-if)#no shutdown
SW1(config-if)#ip address 192.168.10.62 255.255.255.192
SW1(config-if)#interface e0/2
SW1(config-if)#no shutdown
SW1(config-if)#switchport access vlan 10
SW1(config-if)#vlan 20
SW1(config-vlan)#interface vlan 20
SW1(config-if)#no shutdown
SW1(config-if)#ip address 192.168.10.142 255.255.255.240
SW1(config-if)#interface e0/3
SW1(config-if)#no shutdown
SW1(config-if)#switchport access vlan 20
SW1(config-if)#vlan 50
SW1(config-vlan)#interface vlan 50
SW1(config-if)#no shutdown
SW1(config-if)#ip address 192.168.255.10 255.255.255.252
SW1(config-if)#interface e0/0
SW1(config-if)#no shutdown
SW1(config-if)#switchport access vlan 50
#SW2配置
Switch(config)#hostname SW2
SW2(config)#vlan 11
SW2(config-vlan)#interface vlan 11
SW2(config-if)#no shutdown
SW2(config-if)#ip address 192.168.10.150 255.255.255.248
SW2(config-if)#interface e0/2
SW2(config-if)#no shutdown
SW2(config-if)#switchport access vlan 11
SW2(config)#vlan 21
SW2(config-vlan)#interface vlan 21
SW2(config-if)#no shutdown
SW2(config-if)#ip address 192.168.10.126 255.255.255.192
SW2(config-if)#interface e0/3
SW2(config-if)#no shutdown
SW2(config-if)#switchport access vlan 21
SW2(config)#vlan 51
SW2(config-vlan)#interface vlan 51
SW2(config-if)#no shutdown
SW2(config-if)#ip address 192.168.255.14 255.255.255.252
SW2(config-if)#interface e0/0
SW2(config-if)#no shutdown
SW2(config-if)#switchport access vlan 51
SW2(config)#vlan 61
SW2(config-vlan)#interface vlan 61
SW2(config-if)#no shutdown
SW2(config-if)#ip address 210.28.91.254 255.255.255.0
SW2(config-if)#interface e1/0
SW2(config-if)#no shutdown
SW2(config-if)#switchport access vlan 61
DHCP配置
市場部門使用DHCP來為用戶下發V4地址,請在接入設備上配置DHCP服務,dns為 114.114.114.114,地址租期為24小時,地址池中排除網關地址,
#SW1配置
SW1(config)#service dhcp
SW1(config)#ip dhcp excluded-address 192.168.10.62
SW1(config)#ip dhcp pool dhcp-pool1
SW1(dhcp-config)#network 192.168.10.0 255.255.255.192
SW1(dhcp-config)#dns-server 114.114.114.114
SW1(dhcp-config)#default-router 192.168.10.62
SW1(dhcp-config)#lease 1
#PC1配置
PC1>ip dhcp
遠程配置管理
為了管理方便,總部SW1、SW2、R1上配置TELNET服務,只允許運維部門訪問登陸,用戶名為se,密碼為lab@seu,并請加密登錄密碼,
#R1配置
R1(config)#username se secret lab@seu
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input telnet
#SW1配置
SW1(config)#username se secret lab@seu
SW1(config)#line vty 0 4
SW1(config-line)#login local
SW1(config-line)#transport input telnet
#SW2配置
SW2(config)#username se secret lab@seu
SW2(config)#line vty 0 4
SW2(config-line)#login local
SW2(config-line)#transport input telnet
防止環路
為了防止環路產生,將總部SW1和SW2之間兩條線路做成聚合鏈路,
#SW1配置
SW1(config)#interface range e0/1-1,e1/0-0
SW1(config-if-range)#channel-group 1 mode active
SW1(config)#vlan 30
SW1(config-vlan)#interface vlan 30
SW1(config-if)#no shutdown
SW1(config-if)#ip address 192.168.255.1 255.255.255.252
SW1(config-if)#interface range e0/1-1,e1/0-0
SW1(config-if-range)#switchport access vlan 30
#SW2配置
SW2(config)#interface range e1/1-1,e0/1-1
SW2(config-if-range)#channel-group 1 mode passive
SW2(config)#vlan 30
SW2(config-vlan)#interface vlan 30
SW2(config-if)#no shutdown
SW2(config-if)#ip address 192.168.255.2 255.255.255.252
SW2(config-if)#interface range e1/1-1,e0/1-1
SW2(config-if-range)#swtichport access vlan 30
路由配置
- 南京總部SW1、SW2、R1之間運行OSPF協議,
#R1配置
R1(config)#router ospf 100
R1(config-router)#router-id 1.1.1.1
R1(config-router)#redistribute bgp 65511 subnets
R1(config-router)#network 192.168.255.8 0.0.0.3 area 0
R1(config-router)#network 192.168.255.12 0.0.0.3 area 0
R1(config-router)#default-information originate always
#SW1配置
SW1(config)#router ospf 100
SW1(config-router)#router-id 2.2.2.2
SW1(config-router)#network 192.168.255.0 0.0.0.3 area 0
SW1(config-router)# network 192.168.255.8 0.0.0.3 area 0
SW1(config-router)#network 192.168.10.0 0.0.0.63 area 0
SW1(config-router)#network 192.168.10.128 0.0.0.15 area 0
SW1(config-router)#interface vlan 30
SW1(config-if)#ip ospf priority 0
SW1(config-if)#interface vlan 50
SW1(config-if)#ip ospf priority 0
#SW2配置
SW2(config)#router ospf 100
SW2(config-router)#router-id 3.3.3.3
SW2(config-router)# network 192.168.255.0 0.0.0.3 area 0
SW2(config-router)# network 192.168.255.12 0.0.0.3 area 0
SW2(config-router)#network 192.168.10.144 0.0.0.7 area 0
SW2(config-router)#network 192.168.10.64 0.0.0.63 area 0
SW2(config-router)#network 210.28.91.0 0.0.0.255 area 0
SW2(config-router)#interface vlan 30
SW2(config-if)#ip ospf priority 0
SW2(config-if)#interface vlan 51
SW2(config-if)#ip ospf priority 0
- 南京總部R1和ISP的R2之間運行EBGP協議,總部AS為65511,ISP的AS為 65512,在BGP中重分發OSPF路由,
#R1配置
R1(config)#router bgp 65511
R1(config-router)#no bgp log-neighbor-changes
R1(config-router)#neighbor 221.226.30.2 remote-as 65512
R1(config-router)#neighbor 202.226.30.6 remote-as 65512
R1(config)#router bgp 65511
R1(config-router)#redistribute ospf 100
#R2配置
R2(config)#router bgp 65512
R2(config-router)#no bgp log-neighbor-changes
R2(config-router)#neighbor 221.226.30.1 remote-as 65511
R2(config-router)#neighbor 202.226.30.5 remote-as 65511
R2(config-router)#neighbor 221.226.30.10 remote-as 65512
R2(config-router)#neighbor 221.226.30.10 next-hop-self
R2(config)#router bgp 65512
R2(config-router)#redistribute connected
R2(config-router)#redistribute static
- 上海分部內使用靜態路由協議,
#SW3配置
SW3(config)#ip route 0.0.0.0 0.0.0.0 192.168.255.17
SW3(config)#ip route 192.168.10.0 255.255.255.0 192.168.255.17
#R3配置
R3(config)# ip route 192.168.20.0 255.255.255.0 192.168.255.18
R3(config)# ip route 0.0.0.0 0.0.0.0 221.226.30.9
R3(config)#ip route 192.168.10.0 255.255.255.0 221.226.30.9
#R2配置
R2(config)#ip route 192.168.20.0 255.255.255.0 221.226.30.10
- IPV6網路使用靜態路由
#PC1配置
PC1> ip 2001:250:a160:4::1/64
#PC2配置
PC2(config)#interface e0/0
PC2(config-if)#ipv6 address 2001:250:a160:5::1/64
#PC3配置
PC3(config)#interface e0/0
PC3(config-if)#ipv6 address 2001:250:a160:6::1/64
#PC4配置
PC4> ip 2001:250:a160:7::1/64
#SERVER配置
SERVER(config)#interface e0/0
SERVER(config-if)#ipv6 address 2001:250:a160:8::1/64
#SW1配置
SW1(config)#interface vlan 10
SW1(config-if)#ipv6 address 2001:250:a160:4::2/64
SW1(config-if)#interface vlan 20
SW1(config-if)#ipv6 address 2001:250:a160:5::2/64
SW1(config-if)#interface vlan 50
SW1(config-if)#ipv6 address 2001:250:a160:9::2/64
SW1(config)#ipv6 route ::/0 2001:250:a160:9::1
SW1(config)#ipv6 unicast-routing
#SW2配置
SW2(config)#interface vlan 11
SW2(config-if)#ipv6 address 2001:250:a160:6::2/64
SW2(config-if)#interface vlan 21
SW2(config-if)#ipv6 address 2001:250:a160:7::2/64
SW2(config-if)#interface vlan 61
SW2(config-if)#ipv6 address 2001:250:a160:8::2/64
SW2(config)#interface vlan 51
SW2(config-if)#ipv6 address 2001:250:a160:10::2/64
SW2(config)#ipv6 route ::/0 2001:250:a160:10::1
SW2(config)#ipv6 unicast-routing
#R1配置
R1(config)#interface e0/0
R1(config-if)#ipv6 address 2001:250:a160:9::1/64
R1(config-if)#interface e0/1
R1(config-if)#ipv6 address 2001:250:a160:10::1/64
R1(config)#ipv6 route 2001:250:a160:4::/64 2001:250:a160:9::2
R1(config)#ipv6 route 2001:250:a160:5::/64 2001:250:a160:9::2
R1(config)#ipv6 route 2001:250:a160:6::/64 2001:250:a160:10::2
R1(config)#ipv6 route 2001:250:a160:7::/64 2001:250:a160:10::2
R1(config)#ipv6 route 2001:250:a160:8::/64 2001:250:a160:10::2
R1(config)#ipv6 route ::/0 2001:250:a160:3::2
#R3配置
R3(config)#ipv6 route ::/0 2001:250:a160:3::1
隧道配置
南京總部出口接入了IPV6網路(R1-R4 之間連接),并分配一段V6地址給到上海辦事處,但由于中間是ISP網路,無法直接實作V6網路互通,請在R1-R3之間建立6TO4隧道實作總部與辦事處V6網路互通,
#PC5配置
PC5> ip 2001:250:a160:1::1/64
#SW3配置
SW3(config)#interface vlan 12
SW3(config-if)#ipv6 address 2001:250:a160:1::2/64
SW3(config-if)#interface vlan 22
SW3(config-if)#ipv6 address 2001:250:a160:2::1/64
SW3(config)#ipv6 route ::/0 2001:250:a160:2::2
SW3(config)#ipv6 unicast-routing
#R3配置
R3(config)#interface e0/1
R3(config-if)#ipv6 address 2001:250:a160:2::2/64
R3(config)#ipv6 route 2001:250:a160:1::/64 2001:250:a160:2::1
R3(config)#ipv6 unicast-routing
#R1配置
R1(config)#interface tunnel0
R1(config-if)#no shutdown
R1(config-if)#ipv6 enable
R1(config-if)#ipv6 address 2001:250:a160:3::1/64
R1(config-if)#tunnel source 221.226.30.1
R1(config-if)#tunnel destination 221.226.30.10
R1(config-if)#tunnel mode ipv6ip
R1(config)#ipv6 route 2001:250:a160:1::/64 2001:250:a160:3::2
R1(config)#ipv6 route 2001:250:a160:2::/64 2001:250:a160:3::2
R1(config)#ipv6 unicast-routing
#R3配置
R3(config)#interface tunnel0
R3(config-if)#no shutdown
R3(config-if)#ipv6 enable
R3(config-if)#ipv6 address 2001:250:a160:3::2/64
R3(config-if)#tunnel source 221.226.30.10
R3(config-if)#tunnel destination 221.226.30.1
R3(config-if)#tunnel mode ipv6ip
R3(config-if)#ipv6 route 2001:250:a160::/64 2001:250:a160:3::1
R4配置
R4(config)#ipv6 route ::/0 2001:250:a160::2
策略配置
- 安全監管:
南京總部內配置了OSPF路由協議,正常情況下SW1與SW2之間的網路互通優先走SW1-SW2之間鏈路,假設總部為了加強上網行為監管,要求跨交換機部門之間的互訪均優先通過交換機與R1之間鏈路進行通信,SW1與SW2之間鏈路只作為備份鏈路,
#SW1配置
SW1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.63 192.168.10.144 0.0.0.7
SW1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.63 192.168.10.64 0.0.0.63
SW1(config)#access-list 100 permit ip 192.168.10.128 0.0.0.15 192.168.10.144 0.0.0.7
SW1(config)#access-list 100 permit ip 192.168.10.128 0.0.0.15 192.168.10.64 0.0.0.63
SW1(config)#route-map out permit 10
SW1(config-route-map)#match ip address 100
SW1(config-route-map)#set ip next-hop 192.168.255.9
SW1(config)#ip local policy route-map out
#SW2配置
SW2(config)#access-list 100 permit ip 192.168.10.144 0.0.0.7 192.168.10.0 0.0.0.63
SW2(config)#access-list 100 permit ip 192.168.10.144 0.0.0.7 192.168.10.128 0.0.0.15
SW2(config)#access-list 100 permit ip 192.168.10.64 0.0.0.63 192.168.10.0 0.0.0.63
SW2(config)#access-list 100 permit ip 192.168.10.64 0.0.0.63 192.168.10.128 0.0.0.15
SW2(config)#route-map out permit 10
SW2(config-route-map)#match ip address 100
SW2(config-route-map)#set ip next-hop 192.168.255.13
SW2(config)#ip local policy route-map out
- 帶寬優化:
由于DC區域出外網流量較大,為了保障公司內部員工訪問互聯網的帶寬,需請實作DC區域與8.8.8.8之間來往流量優先走DC專線,其它區域與8.8.8.8之間的流量優先走互聯網專線,二者相互備份,
MED屬性是BGP路由的metric,MED在AS之間交換,AS使用本地優先級屬性來影響自己的出站選擇,而用MED來影響另一個AS的出站選擇,與其他路由協議的metric相同,MED值越小,優先級越高,
#R2配置
R2(config)#access-list 111 permit ip 192.168.10.0 0.0.0.255 8.8.8.0 0.0.0.255
R2(config)#access-list 112 permit ip 210.28.91.0 0.0.0.255 8.8.8.0 0.0.0.255
R2(config)#access-list 99 permit any
R2(config)#route-map bgp1 permit 10
R2(config-route-map)#match ip address 111
R2(config-route-map)#set metric 1000
R2(config)#route-map bgp1 permit 20
R2(config-route-map)#match ip address 112
R2(config-route-map)#set metric 2000
R2(config)#route-map bgp1 permit 30
R2(config-route-map)#match ip address 99
R2(config)#router bgp 65512
R2(config-router)#neighbor 221.226.30.1 route-map bgp1 out #互聯專線
R2(config)#route-map bgp2 permit 10
R2(config-route-map)#match ip address 111
R2(config-route-map)#set metric 2000
R2(config)#route-map bgp2 permit 20
R2(config-route-map)#match ip address 112
R2(config-route-map)#set metric 1000
R2(config)#route-map bgp2 permit 30
R2(config-route-map)#match ip address 99
R2(config)#router bgp 65512
R2(config-router)#neighbor 202.226.30.5 route-map bgp2 out #DC專線
#R1配置
R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)#access-list 2 permit 210.28.91.0 0.0.0.255
R1(config)#access-list 99 permit any
R1(config)#route-map bgp1 permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#set metric 1000
R1(config)#route-map bgp1 permit 20
R1(config-route-map)#match ip address 2
R1(config-route-map)#set metric 2000
R1(config)#route-map bgp1 permit 30
R1(config-route-map)#match ip address 99
R1(config)#router bgp 65511
R1(config-router)#neighbor 221.226.30.2 route-map bgp1 out #互聯專線
R1(config)#route-map bgp2 permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#set metric 2000
R1(config)#route-map bgp2 permit 20
R1(config-route-map)#match ip address 2
R1(config-route-map)#set metric 1000
R1(config)#route-map bgp2 permit 30
R1(config-route-map)#match ip address 99
R1(config)#router bgp 65511
R1(config-router)#neighbor 202.226.30.6 route-map bgp2 out #DC專線
安全機制
- 請在開發部接入交換機已接入的終端介面上配置MAC地址系結,防止員工私自接入其它終端設備,
#SW2配置
SW2(config)#interface e0/3
SW2(config-if)#switchport port-security mac-address 0050.7966.680c
SW2(config-if)#switchport port-security maximum 1
SW2(config-if)#switchport port-security violation shutdown
SW2(config-if)#switchport mode access
SW2(config-if)#switchport port-security
- 禁止總部內銷售部和市場部包含ICMP的流量訪問DC區域,
#R1配置
R1(config)#access-list 101 deny icmp 192.168.10.0 0.0.0.63 210.28.91.0 0.0.0.255
R1(config)# access-list 101 deny icmp 192.168.10.128 0.0.0.15 210.28.91.0 0.0.0.255
R1(config)#access-list 101 permit ip any any
R1(config)#interface e0/0
R1(config-if)#ip access-group 101 in
- 考慮到上海辦事處經常需要訪問總部DC區域的服務器進行上傳和下載資料,為了保障流量的安全性,請在R1和R3之間原有的6TO4隧道上添加V4互聯,使得辦事處與總部 DC區域之間的流量通過隧道直接傳遞,并通過IPSEC來對隧道流量進行加密,
#R1配置
R1(config)#crypto isakmp policy 2
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config)#crypto isakmp key lab6 address 221.226.30.10
R1(config)#crypto ipsec transform-set tor3 esp-des esp-md5-hmac
R1(cfg-crypto-trans)#mode transport
R1(config)#crypto ipsec profile ipsec
R1(ipsec-profile)#set transform-set tor3
R1(ipsec-profile)#interface tunnel0
R1(config-if)#tunnel mode ipip
R1(config-if)#ip address 192.168.255.21 255.255.255.252
R1(config-if)#tunnel protection ipsec profile ipsec
R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.255.22
#R3配置
R3(config)#crypto isakmp policy 2
R3(config-isakmp)#hash md5
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config)#crypto isakmp key lab6 address 221.226.30.1
R3(config)#crypto ipsec transform-set tor1 esp-des esp-md5-hmac
R3(cfg-crypto-trans)#mode transport
R3(config)#crypto ipsec profile ipsec
R3(ipsec-profile)#set transform-set tor1
R3(config-if)#interface tunnel0
R3(config-if)#tunnel mode ipip
R3(config-if)#ip address 192.168.255.22 255.255.255.252
R3(config-if)#tunnel protection ipsec profile ipsec
R3(config)#ip route 210.28.91.0 255.255.255.0 192.168.255.21
NAT 配置
公司在某云服務商租用了一批云主機來建立公司網站等應用,總部與云服務商之間通過光纖線路發送公司內部與云主機之間的流量,總部R1通過此線路與云服務商建立EBGP鄰居關系,云服務商的AS為65513,請配置BGP與云服務商建立鄰居關系,使得R1能夠學到云主機的明細路由,另外配置NAT使公司內部訪問云主機的時候地址都轉換為R1與云服務商相連接的介面地址,
#R1配置
R1(config)#interface e1/1
R1(config-if)#no shutdown
R1(config-if)#ip address 172.20.2.16 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 172.20.2.254
R1(config)#router bgp 65511
R1(config-router)#no bgp log-neighbor-changes
R1(config-router)#neighbor 172.20.2.254 remote-as 65513
R1(config)#access-list 5 permit 192.168.10.0 0.0.0.255
R1(config)#access-list 5 permit 192.168.20.0 0.0.0.255
R1(config)#ip nat inside source list 5 interface e1/1 overload
R1(config)#interface e0/0
R1(config-if)#ip nat inside
R1(config-if)#interface e0/1
R1(config-if)#ip nat inside
R1(config-if)#interface e0/2
R1(config-if)#ip nat inside
R1(config-if)#interface e1/0
R1(config-if)#ip nat inside
R1(config-if)#interface e1/1
R1(config-if)#ip nat outside
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/290490.html
標籤:其他
下一篇:MQ 正在變成臭水溝