在企業網絡中部署***備份技術

隨着社會經濟的高速發展，現代企業發展規模正從獨立企業走向集團化企業，企業管理也從獨立化走向集中統一管理模式，在這種需求情況下，信息化建房也成爲企業發展的重要環節，爲了保障企業業務數據安全的在運營商或internet網絡中傳輸，***技術也得到廣泛的應用。爲了保障網絡的高可用性和高可靠性，在部署***網絡的時候，備份鏈路是必須考慮到的關鍵因素。

在部署***備份鏈路時，可以通過兩種方面來實現高可靠和高可用性：

? 一種方式是使用兩條運營商鏈路，實現互爲備份，並可以實現負載均衡。

? 一種方式就是使用一條運營商鏈路作爲主鏈路，而備份鏈路則使用internet鏈路。

當然第一種方式性能更爲優越，但其成本很高，第二種方式成本很低，但其性能有侷限性。下面以兩個例子來說明其實現的方式。

下圖爲第一種方式的例子，總公司與分公司之間申請兩運營商鏈路，爲保證業務數據傳輸安全，需要使用***技術對數據進行加密。需要保護的網段是10.1.1.0/24和10.1.2.0/24兩個子網。

爲了實現這種需求，***的配置方式並沒有改變，只需要將***的源地址改爲Loopback地址，因這此地址不會down,而且當其兩個外網接口中的任何一個接口down了，也不影響***的連接。

下面爲其具體配置：

RouterA#sh running-config

Building configuration...

Current configuration : 1337 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

crypto isakmp policy 110

hash md5

authentication pre-share

group 2

crypto isakmp key 123 address 2.2.2.2

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac

!

crypto map map1 local-address Loopback0

crypto map map1 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set ***

match address 110

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

duplex half

!

interface Serial1/0

ip address 88.1.1.1 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/1

ip address 99.1.1.1 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

ip route 0.0.0.0 0.0.0.0 88.1.1.2

ip route 0.0.0.0 0.0.0.0 99.1.1.2

no ip http server

no ip http secure-server

!

!

logging alarm informational

access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

end

RouterB#sh running-config

Building configuration...

Current configuration : 1338 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterB

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

crypto isakmp policy 110

hash md5

authentication pre-share

group 2

crypto isakmp key 123 address 1.1.1.1

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac

!

crypto map map1 local-address Loopback0

crypto map map1 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set ***

match address 110

!

!

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.2.1 255.255.255.0

duplex half

!

interface Serial1/0

ip address 88.1.1.2 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/1

ip address 99.1.1.2 255.255.255.252

serial restart-delay 0

crypto map map1

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

ip route 0.0.0.0 0.0.0.0 88.1.1.1

ip route 0.0.0.0 0.0.0.0 99.1.1.1

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

access-list 110 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

end

下面爲其測試環節，使用兩個子網進行PING通信，則兩個子網可以通信。

RouterB#ping 10.1.1.1 source 10.1.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/62/104 ms

 

RouterB#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

1.1.1.1 2.2.2.2 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

RouterB#sh crypto ipsec sa

interface: Serial1/0

Crypto map tag: map1, local addr 2.2.2.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240

#pkts decaps: 223, #pkts decrypt: 223, #pkts verify: 223

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

current outbound spi: 0x5CA4CEE6(1554304742)

inbound esp sas:

spi: 0x108F068F(277808783)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2294)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xBC5AC99A(3160066458)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2290)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x5CA4CEE6(1554304742)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2290)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0x13AFEA83(330295939)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2288)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

interface: Serial1/1

Crypto map tag: map1, local addr 2.2.2.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240

#pkts decaps: 223, #pkts decrypt: 223, #pkts verify: 223

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

current outbound spi: 0x5CA4CEE6(1554304742)

inbound esp sas:

spi: 0x108F068F(277808783)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2288)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xBC5AC99A(3160066458)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568924/2288)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x5CA4CEE6(1554304742)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2287)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0x13AFEA83(330295939)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4568921/2287)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

當登錄到路由器，將其中的一接口down了之後 ，兩個子網依然可以正常通信。

Router(config-if)#int s1/1

Router(config-if)#shutdown

Router(config-if)#

*Nov 30 20:56:34.519: %LINK-5-CHANGED: Interface Serial1/1, changed state to administratively down

*Nov 30 20:56:34.519: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/1 Physical Port Administrative State Down

*Nov 30 20:56:35.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down

RouterB#ping 10.1.1.1 source 10.1.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/62/104 ms

RouterB#

本實例只基於備份鏈路，如果兩端有多個子網，而且實現其負載均衡的功能，可以使用策略路由PBR來實現，在本實例中不做詳細說明，如果想學習PBR的內容，可以參照我以前的博文

下面是第二種方式實現***備份，在這種模式下，公司爲節省成本只申請一條運營商鏈路，如果當專用鏈路出同故障的時候，需要使用Internet鏈路傳輸業務數據，但爲保障其安全，需要採用***技術。

爲減少鏈路的中斷時間，需要採用HSRP或VRRP技術，實現熱備，在三層網絡中採用的IP路由選擇協議是OSPF，但IPSec只能支持IP單播,所以在啓用IPSec ***技術時，其OSPF路由協議更新無法傳遞，所以需要採用GRE隧道來傳遞OSPF路由協議更新。

另外內網用戶需要訪問互聯網，所以在使用NAT時，需要排除兩個***子網不需要進行地址轉換。

網絡中使用的IP路由選擇協議是OSPF，如果使用OSPF發佈默認路由的時候，其兩個公司的子網都會學習到默認路由，所以在實施的時候需要使用分發列表對默認路由進行過濾。

下圖爲實驗拓撲。

具體配置如下。

R1#sh running-config

Building configuration...

Current configuration : 1847 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

crypto isakmp policy 110

hash md5

authentication pre-share

group 2

crypto isakmp key 123 address 211.1.1.2

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac

mode transport

!

crypto map map1 10 ipsec-isakmp

set peer 211.1.1.2

set transform-set ***

match address 110

!

!

!

interface Tunnel1

ip address 172.16.1.5 255.255.255.252

tunnel source Serial1/0

tunnel destination 211.1.1.2

tunnel key 123456

crypto map map1

!

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

standby 10 ip 172.16.2.254

standby 10 preempt

!

interface Serial1/0

ip address 211.1.1.1 255.255.255.248

ip nat outside

ip virtual-reassembly

serial restart-delay 0

!

interface Serial1/1

no ip address

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 172.16.1.4 0.0.0.3 area 0

network 172.16.2.0 0.0.0.255 area 10

default-information originate

distribute-list 10 in Tunnel1

!

ip route 0.0.0.0 0.0.0.0 211.1.1.2

no ip http server

no ip http secure-server

!

!

ip nat inside source list 100 interface Serial1/0 overload

!

logging alarm informational

access-list 10 deny 0.0.0.0

access-list 10 permit any

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

End

R2#sh running-config

Building configuration...

Current configuration : 1094 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

interface FastEthernet0/0

ip address 172.16.2.2 255.255.255.0

duplex full

standby 10 ip 172.16.2.254

standby 10 priority 120

standby 10 preempt

standby 10 track Serial1/0 30

!

interface Serial1/0

ip address 172.16.1.1 255.255.255.252

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0

network 172.16.2.0 0.0.0.255 area 10

distribute-list 10 in Serial1/0

!

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

access-list 10 deny 0.0.0.0

access-list 10 permit any

!

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

End

SW2#sh running-config

Building configuration...

Current configuration : 1194 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

!

!

!

!

interface FastEthernet0/0

switchport access vlan 10

!

interface FastEthernet0/1

switchport access vlan 10

!

interface FastEthernet0/2

switchport access vlan 20

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 172.16.2.253 255.255.255.0

!

interface Vlan20

ip address 10.1.1.1 255.255.255.0

!

router ospf 10

log-adjacency-changes

network 10.1.1.0 0.0.0.255 area 10

network 172.16.2.0 0.0.0.255 area 10

!

ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

End

R3#sh running-config

Building configuration...

Current configuration : 1857 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

crypto isakmp policy 110

hash md5

authentication pre-share

group 2

crypto isakmp key 123 address 211.1.1.1

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-md5-hmac

mode transport

!

crypto map map1 10 ipsec-isakmp

set peer 211.1.1.1

set transform-set ***

match address 110

!

!

!

!

interface Tunnel1

ip address 172.16.1.6 255.255.255.252

tunnel source Serial1/0

tunnel destination 211.1.1.1

tunnel key 123456

crypto map map1

!

interface FastEthernet0/0

ip address 172.16.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

standby 20 ip 172.16.3.254

standby 20 preempt

!

interface Serial1/0

ip address 211.1.1.2 255.255.255.248

ip nat outside

ip virtual-reassembly

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 172.16.1.4 0.0.0.3 area 0

network 172.16.3.0 0.0.0.255 area 20

default-information originate

distribute-list 10 in Tunnel1

!

ip route 0.0.0.0 0.0.0.0 211.1.1.1

no ip http server

no ip http secure-server

!

!

ip nat inside source list 100 interface Serial1/0 overload

!

logging alarm informational

access-list 10 deny 0.0.0.0

access-list 10 permit any

access-list 100 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 10.1.2.0 0.0.0.255 any

access-list 110 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

End

R4#sh running-config

Building configuration...

Current configuration : 1104 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

interface FastEthernet0/0

ip address 172.16.3.2 255.255.255.0

duplex full

standby 20 ip 172.16.3.254

standby 20 priority 120

standby 20 preempt

standby 20 track Serial1/0 30

!

interface Serial1/0

ip address 172.16.1.2 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.255 area 20

distribute-list 10 in Serial1/0

!

no ip http server

no ip http secure-server

!

!

!

logging alarm informational

access-list 10 deny 0.0.0.0

access-list 10 permit any

!

!

!

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

line vty 0 4

!

!

End

SW1#sh running-config

Building configuration...

Current configuration : 1194 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

!

!

interface FastEthernet0/0

switchport access vlan 30

!

interface FastEthernet0/1

switchport access vlan 30

!

interface FastEthernet0/2

switchport access vlan 40

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface Vlan1

no ip address

!

interface Vlan30

ip address 172.16.3.253 255.255.255.0

!

interface Vlan40

ip address 10.1.2.1 255.255.255.0

!

router ospf 10

log-adjacency-changes

network 10.1.2.0 0.0.0.255 area 20

network 172.16.3.0 0.0.0.255 area 20

!

ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

下面是測試環節，查看SW2路由條目。

SW2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

O IA 172.16.1.4/30 [110/11112] via 172.16.2.1, 00:00:55, Vlan10

O IA 172.16.1.0/30 [110/65] via 172.16.2.2, 00:00:55, Vlan10

C 172.16.2.0/24 is directly connected, Vlan10

O IA 172.16.3.0/24 [110/66] via 172.16.2.2, 00:00:46, Vlan10

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/67] via 172.16.2.2, 00:00:46, Vlan10

C 10.1.1.0 is directly connected, Vlan20

O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 00:00:45, Vlan10

去住10.1.2.0網段的開銷爲67。

SW1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.3.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

O IA 172.16.1.4/30 [110/11112] via 172.16.3.1, 00:01:05, Vlan30

O IA 172.16.1.0/30 [110/65] via 172.16.3.2, 00:01:05, Vlan30

O IA 172.16.2.0/24 [110/66] via 172.16.3.2, 00:00:35, Vlan30

C 172.16.3.0/24 is directly connected, Vlan30

10.0.0.0/24 is subnetted, 2 subnets

C 10.1.2.0 is directly connected, Vlan40

O IA 10.1.1.0 [110/67] via 172.16.3.2, 00:00:35, Vlan30

O*E2 0.0.0.0/0 [110/1] via 172.16.3.1, 00:00:30, Vlan30

R4#sh standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 20 120 P Active local 172.16.3.1 172.16.3.254

R2#sh standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 10 120 P Active local 172.16.2.1 172.16.2.254

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 211.1.1.2 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.16.1.4/30 is directly connected, Tunnel1

C 172.16.2.0/24 is directly connected, FastEthernet0/0

O IA 172.16.3.0/24 [110/11112] via 172.16.1.6, 00:03:56, Tunnel1

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/11113] via 172.16.1.6, 00:03:56, Tunnel1

O 10.1.1.0 [110/2] via 172.16.2.253, 00:03:56, FastEthernet0/0

211.1.1.0/29 is subnetted, 1 subnets

C 211.1.1.0 is directly connected, Serial1/0

S* 0.0.0.0/0 [1/0] via 211.1.1.2

R2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.16.1.0/30 is directly connected, Serial1/0

C 172.16.2.0/24 is directly connected, FastEthernet0/0

O IA 172.16.3.0/24 [110/65] via 172.16.1.2, 00:04:04, Serial1/0

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/66] via 172.16.1.2, 00:04:04, Serial1/0

O 10.1.1.0 [110/2] via 172.16.2.253, 00:04:14, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 00:04:04, FastEthernet0/0

去住10.1.2.0網段的開銷爲66.

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/144/204 ms

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/119/160 ms

登錄到路由器，將其中主鏈路的接口down了。

R4(config)#int s1/0

R4(config-if)#shutdown

R4(config-if)#

*Nov 30 22:36:09.703: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.2.2 on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Nov 30 22:36:11.591: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 20 state Active -> Speak

*Nov 30 22:36:11.675: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down

*Nov 30 22:36:11.675: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down

*Nov 30 22:36:12.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

*Nov 30 22:36:21.591: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 20 state Speak -> Standby

R2#

*Nov 30 22:36:41.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down

*Nov 30 22:36:41.443: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.3.2 on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Nov 30 22:36:44.035: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak

R2#

*Nov 30 22:36:54.035: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby

可以看到HSRP的主路由器發生了變化。

R2#sh standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 10 90 P Standby 172.16.2.1 local 172.16.2.254

R2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

O IA 172.16.1.4/30 [110/11112] via 172.16.2.1, 00:00:32, FastEthernet0/0

C 172.16.2.0/24 is directly connected, FastEthernet0/0

O IA 172.16.3.0/24 [110/11113] via 172.16.2.1, 00:00:32, FastEthernet0/0

10.0.0.0/24 is subnetted, 2 subnets

O IA 10.1.2.0 [110/11114] via 172.16.2.1, 00:00:32, FastEthernet0/0

O 10.1.1.0 [110/2] via 172.16.2.253, 00:00:32, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 172.16.2.1, 00:00:32, FastEthernet0/0

查看其去住10.1.2.0網段的路由開銷爲1114，則說明其經由隧道進行通信。

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/178/232 ms

SW2#ping 10.1.2.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 124/174/208 ms

可以看到***的鏈路已經啓動。

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

211.1.1.2 211.1.1.1 QM_IDLE 1002 0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: map1, local addr 211.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

current_peer 211.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49

#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

可以看到其加密的報文數量爲49個。

local crypto endpt.: 211.1.1.1, remote crypto endpt.: 211.1.1.2

path mtu 1472, ip mtu 1472, ip mtu idb Tunnel1

current outbound spi: 0x9F5AB1DA(2673521114)

inbound esp sas:

spi: 0x2F5C5100(794579200)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2731)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xCAD7ADBF(3403132351)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2730)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x9F5AB1DA(2673521114)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2730)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0xCB251438(3408204856)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2729)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

這時再登錄到路由器，將其接口啓用。

R4(config-if)#no shutdown

R4(config-if)#

*Nov 30 22:39:11.935: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up

*Nov 30 22:39:11.935: %ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State Down

*Nov 30 22:39:12.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up

*Nov 30 22:39:13.899: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 20 state Standby -> Active

R4(config-if)#

*Nov 30 22:39:22.103: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.2.2 on Serial1/0 from LOADING to FULL, Loading Done

R4(config-if)#

再進行數據通信。

SW2#ping 211.1.1.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 211.1.1.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/104/140 ms

則可以看到其沒有使用***加密，而採用的是主鏈路進行轉發數據。

R1#sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: map1, local addr 211.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)

current_peer 211.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49

#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 211.1.1.1, remote crypto endpt.: 211.1.1.2

path mtu 1472, ip mtu 1472, ip mtu idb Tunnel1

current outbound spi: 0x9F5AB1DA(2673521114)

inbound esp sas:

spi: 0x2F5C5100(794579200)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2631)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xCAD7ADBF(3403132351)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: 3, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2629)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x9F5AB1DA(2673521114)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2629)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0xCB251438(3408204856)

transform: ah-md5-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: 4, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4470831/2629)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

內網主機再訪問互聯網主機，則可以看到其並沒有加密，而是進行地址轉換。

SW2#ping 211.1.1.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 211.1.1.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/90/152 ms

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 211.1.1.1:76 10.1.1.1:76 211.1.1.2:76 211.1.1.2:76

icmp 211.1.1.1:77 10.1.1.1:77 211.1.1.2:77 211.1.1.2:77