*** GRE隧道基礎配置

一實驗拓撲

二實驗步驟

注意：中間鏈路故障時，Tunnel接口仍然UP

由於使用靜態路由，備份隧道始終空閒，數據包被丟棄

配置了keepalive後，RTA收不到RTB的Keepalive報文，Tunnel0接口down

[RA]int tunnel 0

[RA-Tunnel0]ip add 192.168.0.1 24

[RA-Tunnel0]undo shu

Interface Tunnel0 is not shut down

[RA-Tunnel0]source 10.1.1.1

[RA-Tunnel0]des 13.1.1.1

[RA-Tunnel0]keepalive //配置的是靜態路由，需要用到

[RA]ip rout 12.1.1.0 255.255.255.0 tunnel 0

[RB]int tunnel 0

[RB-Tunnel0]ip add 192.168.0.2 255.255.255.0

[RB-Tunnel0]source 13.1.1.1

[RB-Tunnel0]des 10.1.1.1

[RA-Tunnel0]keepalive

[RB]ip rout 11.1.1.0 255.255.255.0 tunnel 0

[RA]dis ip int bri

*down: administratively down

(s): spoofing

Interface Physical Protocol IP Address

Ethernet0/1/0 up down unassigned

LoopBack1 up up(s) 11.1.1.1

Serial0/2/0 up up 10.1.1.1

Serial0/2/1 down down unassigned

Serial0/2/2 down down unassigned

Serial0/2/3 down down unassigned

Tunnel0 down down 192.168.0.1

要保證網絡是連通的，否則隧道不會起來

配置RIP後

[RA]rip 1

[RA-rip-1]version 2

[RA-rip-1]undo summary

[RA-rip-1]net 11.0.0.0

[RA-rip-1]net 10.0.0.0

[Internet]rip 1

[Internet-rip-1]version 2

[Internet-rip-1]undo summary

[Internet-rip-1]net 10.0.0.0

[Internet-rip-1]net 13.0.0.0

[Internet-rip-1]qui

[RB]rip 1

[RB-rip-1]version 2

[RB-rip-1]undo summary

[RB-rip-1]net 13.0.0.0

[RB-rip-1]net 12.0.0.0

我們發現

[RA-rip-1]dis ip int br

*down: administratively down

(s): spoofing

Interface Physical Protocol IP Address

Ethernet0/1/0 up down unassigned

LoopBack1 up up(s) 11.1.1.1

Serial0/2/0 up up 10.1.1.1

Serial0/2/1 down down unassigned

Serial0/2/2 down down unassigned

Serial0/2/3 down down unassigned

Tunnel0 up up 192.168.0.1

[RB]dis ip int bri

*down: administratively down

(s): spoofing

Interface Physical Protocol IP Address

Ethernet0/1/0 up down unassigned

LoopBack1 up up(s) 12.1.1.1

Serial0/2/0 up up 13.1.1.1

Serial0/2/1 down down unassigned

Serial0/2/2 down down unassigned

Tunnel0 up up 192.168.0.2

再查看路由（之前只有直連的，雖然配置了下一跳是tunnel的靜態路由，但是tunnel接口沒起來，路由不會生效，即不會放入全局路由表裏）

[RA-rip-1]dis ip rout

Routing Tables: Public

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/30 Direct 0 0 10.1.1.1 S0/2/0

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.2/32 Direct 0 0 10.1.1.2 S0/2/0 對端ip

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

12.1.1.0/24 Static 60 0 192.168.0.1 Tun0

12.1.1.1/32 RIP 100 2 10.1.1.2 S0/2/0 優先選靜態？

13.1.1.0/30 RIP 100 1 10.1.1.2 S0/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Direct 0 0 192.168.0.1 Tun0

192.168.0.1/32 Direct 0 0 127.0.0.1 InLoop0

[RB]dis ip rout

Routing Tables: Public

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/30 RIP 100 1 13.1.1.2 S0/2/0

11.1.1.0/24 Static 60 0 192.168.0.2 Tun0

11.1.1.1/32 RIP 100 2 13.1.1.2 S0/2/0

12.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

13.1.1.0/30 Direct 0 0 13.1.1.1 S0/2/0

13.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

13.1.1.2/32 Direct 0 0 13.1.1.2 S0/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Direct 0 0 192.168.0.2 Tun0

192.168.0.2/32 Direct 0 0 127.0.0.1 InLoop0

測試隧道是否建立成功

[RB]ping -a 12.1.1.1 11.1.1.1

PING 11.1.1.1: 56 data bytes, press CTRL_C to break

Reply from 11.1.1.1: bytes=56 Sequence=1 ttl=254 time=27 ms

Reply from 11.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms

Reply from 11.1.1.1: bytes=56 Sequence=3 ttl=254 time=20 ms

Reply from 11.1.1.1: bytes=56 Sequence=4 ttl=254 time=10 ms

Reply from 11.1.1.1: bytes=56 Sequence=5 ttl=254 time=1 ms

--- 11.1.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 1/11/27 ms

查看路徑

[RB]trace -a 12.1.1.1 11.1.1.1

traceroute to 11.1.1.1(11.1.1.1) 30 hops max,40 bytes packet, press CTRL_C to break

1 13.1.1.2 4294967290 ms 4 ms <1 ms

2 11.1.1.1 14 ms 30 ms 20 ms

<RA>dis int tunnel0

Tunnel0 current state: UP

Line protocol current state: UP

Description: Tunnel0 Interface

The Maximum Transmit Unit is 1476

Internet Address is 192.168.0.1/24 Primary

Encapsulation is TUNNEL, aggregation ID not set

Tunnel source 10.1.1.1, destination 13.1.1.1

Tunnel keepalive disable

Tunnel protocol/transport GRE/IP

GRE key disabled

Checksumming of GRE packets disabled

Last 300 seconds input: 0 bytes/sec, 0 packets/sec

Last 300 seconds output: 0 bytes/sec, 0 packets/sec

15 packets input, 960 bytes

0 input error

204 packets output, 13056 bytes

0 output error

三配置關鍵點

兩端的隧道地址要處於同一網段

不要忘記配置通過tunnel訪問對方私網的路由

思考：

1.分析tunnel接口起來的條件

2.分析數據流（GRE隧道處理流程）

1）隧道起點路由查找

12.1.1.0/24 Static 60 0 192.168.0.1 Tun0

2）加封裝

3）承載協議路由轉發

13.1.1.0/30 RIP 100 1 10.1.1.2 S0/2/0

4）中途轉發

5）解封裝

解掉公網IP頭，GRE頭，剩下私網IP包

6）隧道終點路由查找

承接上一步，根據私網IP包頭，查找路由，轉發

12.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

知識原理：

GRE (Generic Routing Encapsulation)

在任意一種網絡協議上傳送任意一種其它網絡協議的封裝方法

RFC 2784定義了標準GRE封裝

GRE ***

直接使用GRE封裝建立GRE隧道，在一種協議的網絡上傳送其它協議

虛擬的隧道（Tunnel）接口

封裝結構：

全網使用OSPF 把tunnel接口發佈進去

[RA]router id 1.1.1.1

[RA]ospf 1

[RA-ospf-1]area 0

[RA-ospf-1-area-0.0.0.0]net 11.1.1.1 0.0.0.0

[RA-ospf-1-area-0.0.0.0]net 10.1.1.1 0.0.0.3

[RA-ospf-1-area-0.0.0.0]net 192.168.0.1 0.0.0.255

[Internet]router id 3.3.3.3

[Internet]ospf 1

[Internet-ospf-1]area 0

[Internet-ospf-1-area-0.0.0.0]net 10.1.1.2 0.0.0.3

[Internet-ospf-1-area-0.0.0.0]net 13.1.1.2 0.0

%Sep 22 12:46:46:266 2012 Internet RM/3/RMLOG:OSPF-NBRCHANGE: Process 1, Neighbor 10.1.1.1(Serial0/2/0) from Loading to Full.0.3

[RB]route id 2.2.2.2

[RB]ospf 1

[RB-ospf-1]are 0

[RB-ospf-1-area-0.0.0.0]net 12.1.1.1 0.0.0.0

[RB-ospf-1-area-0.0.0.0]net 13.1.1.1 0.0.0.3

[RB-ospf-1-area-0.0.0.0]net 192.0

%Sep 22 12:47:47:93 2012 RB RM/3/RMLOG:OSPF-NBRCHANGE: Process 1, Neighbor 13.1.1.2(Serial0/2/0) from Loading to Full.0.2

%Sep 22 12:47:48:984 2012 RB TUNNEL/4/LINK UPDOWN:

Tunnel0: link status is UP

%Sep 22 12:47:48:984 2012 RB IFNET/4/UPDOWN:

Line protocol on the interface Tunnel0 is UP 0.0.0.255

查看一下路由

[RA]dis ip rout

Routing Tables: Public

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/30 Direct 0 0 10.1.1.1 S0/2/0

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.2/32 Direct 0 0 10.1.1.2 S0/2/0

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

12.1.1.1/32 OSPF 10 3124 10.1.1.2 S0/2/0

13.1.1.0/30 OSPF 10 3124 10.1.1.2 S0/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Direct 0 0 192.168.0.1 Tun0

192.168.0.1/32 Direct 0 0 127.0.0.1 InLoop0

這樣配明顯出問題了吧

必須保證去往12.1.1.0的路由下一跳是tunnel 0 ，纔會封裝GRE頭部

[RA-ospf-1-area-0.0.0.0]undo net 192.168.0.0 0.0.0.255

[RA]ip rout 12.1.1.0 255.255.255.0 192.168.0.2

[RB-ospf-1-area-0.0.0.0]undo net 192.168.0.0 0.0.0.255

[RB]ip rout 11.1.1.0 255.255.255.0 192.168.0.1

[RA]dis ip rout

Routing Tables: Public

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/30 Direct 0 0 10.1.1.1 S0/2/0

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.2/32 Direct 0 0 10.1.1.2 S0/2/0

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

12.1.1.0/24 Static 60 0 192.168.0.2 Tun0

12.1.1.1/32 OSPF 10 3124 10.1.1.2 S0/2/0

13.1.1.0/30 OSPF 10 3124 10.1.1.2 S0/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Direct 0 0 192.168.0.1 Tun0

192.168.0.1/32 Direct 0 0 127.0.0.1 InLoop0

疑問：ppt是怎樣做到用OSPF發佈，做到下一跳是tunnel的？

四總結

GRE ***是由GRE隧道構成的Site-to-Stie ***

GRE隧道通過GRE封裝實現

GRE ***簡單而容易部署，支持多協議，但其不能分隔地址空間，且安全性較差

*** GRE隧道基礎配置

IPsec ×××基本實驗

配置光盤爲本地yum源(rhel6.1)

我的友情鏈接

Cisco IOS 的登錄密碼以及權限分配以及log時間設置

IPsec ***基本實驗

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結