GRE 協議簡介
協議簡介
GRE (Generic Routing Encapsulation)即通用路由封裝協議是對某些網絡層協議(如IP 和 IPX)的數據報進行封裝,使這些被封裝的數據報能夠在另一個網絡層協議(如 IP)中傳輸。GRE 是***(Virtual Private Network )的第三層隧道協議,即在協議層之間採用了一種被稱之爲Tunnel (隧道)的技術。Tunnel 是一個虛擬的點對點的連接,在實際中可以看成僅支持點對點連接的虛擬接口,這個接口提供了一條通路使封裝的數據報能夠在這個通路上傳輸,並且在一個Tunnel 的兩端分別對數據報進行封裝及解封。
(1) 加封裝過程
如下圖,連接 Novell group1 的接口收到IPX 數據報後首先交由 IPX 協議處理,IPX協議檢查 IPX 報頭中的目的地址域來確定如何路由此包。
若報文的目的地址被發現要路由經過網號爲 1f 的網絡(Tunnel 的虛擬網號),則將此報文發給網號爲 1f 的tunnel 端口。Tunnel 口收到此包後進行GRE 封裝,封裝完成後交給 IP 模塊處理,在封裝 IP 報頭後,根據此包的目的地址及路由表交由相應的網絡接口處理。
(2) 解封裝的過程
解封裝過程和加封裝的過程相反。從 Tunnel 接口收到的 IP 報文,通過檢查目的地址,發現目的地就是此路由器時,剝掉 IP 報頭,再交給 GRE 協議處理後(進行檢驗密鑰、檢查校驗和或報文的序列號等),剝掉 GRE 報頭後,再交由 IPX 協議象對待一般數據報一樣對此數據報進行處理。系統收到一個需要封裝和路由的數據報,稱之爲淨荷(Payload),這個淨荷首先被加上 GRE 封裝,成爲 GRE 報文;再被封裝在 IP 報文中,這樣就可完全由 IP 層負責此報文的向前傳輸(Forwarded)。這個負責向前傳輸的IP協議被稱爲傳遞(Delivery)協議或傳輸(Transport)協議。
GRE 的典型配置案例
1. 組網需求
局域網1(總公司) 和 局域網2 (分公司)跨 Internet 網絡進行通訊,採用GRE 隧道方式進行通信,防火牆FW1和 FW2 爲GRE 隧道的兩個端點,ISP屬於interne網絡。
2.組網圖
3.實驗步驟
(1)FW1的配置
[FW1]firewall packet-filter default permit #防火牆默認配置
[FW1]int eth0/0
[FW1-Ethernet0/0]ip add 192.168.1.254 24
[FW1-Ethernet0/0]
%Apr 19 14:02:20:996 2013 FW1 IFNET/4/UPDOWN:Line protocol on the interface Ethe
rnet0/0 is UP
[FW1-Ethernet0/0]int eth0/4
[FW1-Ethernet0/4]ip add 61.61.61.1 30
[FW1-Ethernet0/4]
%Apr 19 14:02:34:625 2013 FW1 IFNET/4/UPDOWN:Line protocol on the interface Ethe
rnet0/4 is UP
[FW1-Ethernet0/4]quit
[FW1]ip route-static
[FW1]firewall zone untrust
[FW1-zone-untrust]add int eth0/4
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add int eth0/0
[FW1-zone-trust]quit
[FW1]int Tunnel 10 #配置隧道
[FW1-Tunnel10]tunnel-protocol gre #隧道協議爲GRE
[FW1-Tunnel10]ip add 192.168.3.1 24 #隧道IP地址
[FW1-Tunnel10]destination 61.61.62.2 #目的IP地址
[FW1-Tunnel10]source 61.61.61.1 #源端IP地址
[FW1-Tunnel10]
%Apr 19 14:03:57:181 2013 FW1 IFNET/4/UPDOWN:Line protocol on the interface Tunn
el10 is UP
[FW1-Tunnel10]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add int Tunnel 10
[FW1-zone-untrust]quit
[FW1]ip route-static 192.168.2.0 24 Tunnel 10 #配置默認路由
[FW1]dis ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
61.61.61.0/30 DIRECT 0 0 61.61.61.1 Ethernet0/4
61.61.61.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 DIRECT 0 0 192.168.1.254 Ethernet0/0
192.168.1.254/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 STATIC 60 0 192.168.3.1 Tunnel10
192.168.3.0/24 DIRECT 0 0 192.168.3.1 Tunnel10
192.168.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
[FW1]
(2)FW2的配置
<H3C>sys
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]sys FW2
[FW2]int eth0/0
[FW2-Ethernet0/0]ip add 192.168.2.254 24
[FW2-Ethernet0/0]
[FW2-Ethernet0/0]int eth0/4
[FW2-Ethernet0/4]ip add 61.61.62.2 30
[FW2-Ethernet0/4]
%Apr 19 09:08:11:621 2013 FW2 IFNET/4/UPDOWN:Line protocol on the interface Ethe
rnet0/4 is UP
[FW2-Ethernet0/4]quit
[FW2]ip rou
[FW2]ip route-static
[FW2]firewall zone untrust
[FW2-zone-untrust]add int eth0/4
[FW2-zone-untrust]quit
[FW2]fire zone trust
[FW2-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW2-zone-trust]quit
[FW2]dis ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
61.61.62.0/30 DIRECT 0 0 61.61.62.2 Ethernet0/4
61.61.62.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 DIRECT 0 0 192.168.2.254 Ethernet0/0
192.168.2.254/32 DIRECT 0 0 127.0.0.1 InLoopBack0
[FW2]int tunn
[FW2]int Tunnel 20
[FW2-Tunnel20]tu
[FW2-Tunnel20]tunnel-protocol gre
[FW2-Tunnel20]ip add 192.168.3.2 24
[FW2-Tunnel20]dest
[FW2-Tunnel20]destination 61.61.61.1
[FW2-Tunnel20]sou
[FW2-Tunnel20]source 61.61.62.2
[FW2-Tunnel20]
%Apr 19 09:10:17:650 2013 FW2 IFNET/4/UPDOWN:Line protocol on the interface Tunn
el20 is UP
[FW2-Tunnel20]quit
[FW2]firewall zone untrust
[FW2-zone-untrust]add int Tunnel 20
[FW2-zone-untrust]quit
[FW2]ip route-static 192.168.1.0 24 Tunnel 20
[FW2]dis ip rout
[FW2]dis ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
61.61.62.0/30 DIRECT 0 0 61.61.62.2 Ethernet0/4
61.61.62.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 STATIC 60 0 192.168.3.2 Tunnel20
192.168.2.0/24 DIRECT 0 0 192.168.2.254 Ethernet0/0
192.168.2.254/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.3.0/24 DIRECT 0 0 192.168.3.2 Tunnel20
192.168.3.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
[FW2]
(3)ISP的配置
[Quidway]sys ISP
[ISP]vlan 10
[ISP-vlan10]port eth0/10
[ISP-vlan10]vlan 20
[ISP-vlan20]port eth0/20
[ISP-vlan20]quit
[ISP]int vlan 10
[ISP-Vlan-interface10]
%Apr 19 11:31:43 2013 ISP L2INF/5/VLANIF LINK STATUS CHANGE:Slot=1;
Vlan-interface10: turns into UP state
[ISP-Vlan-interface10]ip add 61.61.61.2 255.255.255.252
[ISP-Vlan-interface10]
%Apr 19 11:32:05 2013 ISP IFNET/5/UPDOWN:Slot=1;Line protocol on the interface V
lan-interface10 turns into UP state
[ISP-Vlan-interface10]int vlan 20
[ISP-Vlan-interface20]
%Apr 19 11:32:10 2013 ISP L2INF/5/VLANIF LINK STATUS CHANGE:Slot=1;
Vlan-interface20: turns into UP state
[ISP-Vlan-interface20]ip add 61.61.62.1 255.255.255.252
[ISP-Vlan-interface20]
%Apr 19 11:32:23 2013 ISP IFNET/5/UPDOWN:Slot=1;Line protocol on the interface V
lan-interface20 turns into UP state
[ISP-Vlan-interface20]quit
[ISP]dis ip rout
[ISP]dis ip routing-table
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
61.61.61.0/30 DIRECT 0 0 61.61.61.2 Vlan-interface10
61.61.61.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
61.61.62.0/30 DIRECT 0 0 61.61.62.1 Vlan-interface20
61.61.62.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
[ISP]
(4)PC10的配置和測試
