目录
简介
基于OSPF的Gre Over IPsec隧道,实现公司总部与分部之间的数据流量访问走VPN隧道,以及组播流量同样走隧道到达分部。
拓扑图结构
地址分配
| 总部 | ||||
| 终端/服务器 | IP地址 | 网关 | 组播组IP地址 | 组播组MAC地址 |
| PC1 | 10.0.1.1 | 10.0.1.254 | ||
| PC2 | 10.0.2.1 | 10.0.2.254 | ||
| PC3 | 10.0.3.1 | 10.0.3.254 | ||
| PC4 | 10.0.4.1 | 10.0.4.254 | ||
| PC5 | 10.0.5.1 | 10.0.5.254 | ||
| PC6 | 10.0.6.1 | 10.0.6.254 | ||
| PC7 | 10.0.7.1 | 10.0.7.254 | ||
| MCS1 | 172.16.1.1 | 172.16.1.2 | 239.1.1.1 | 01-00-5E-01-01-01 |
| 分部 | ||||
| PC8 | 192.168.1.1 | 192.168.1.254 | ||
| PC9 | 192.168.2.1 | 192.168.2.254 | ||
基础配置
LSW3:
#
vlan batch 10 20
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface Ethernet0/0/4
port link-type access
port default vlan 20
LSW4:
#
vlan batch 30 40
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40
#
interface Ethernet0/0/3
port link-type access
port default vlan 30
#
interface Ethernet0/0/4
port link-type access
port default vlan 40LSW6:
#
vlan batch 50 60
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 50 60
interface Ethernet0/0/3
port link-type access
port default vlan 50
#
interface Ethernet0/0/4
port link-type access
port default vlan 60LSW5:
#
vlan batch 70
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 70
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 70
#
interface Ethernet0/0/3
port link-type access
port default vlan 70
LSW1:
#
vlan batch 10 20 30 40 50 60 70 102
#
interface Vlanif10
ip address 10.0.1.10 255.255.255.0
#
interface Vlanif20
ip address 10.0.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.0.3.10 255.255.255.0
#
interface Vlanif40
ip address 10.0.4.10 255.255.255.0
#
interface Vlanif50
ip address 10.0.5.11 255.255.255.0
#
interface Vlanif60
ip address 10.0.6.11 255.255.255.0
#
interface Vlanif70
ip address 10.0.7.11 255.255.255.0
#
interface Vlanif102
ip address 10.0.102.2 255.255.255.0
#
interface Eth-Trunk1
mode lacp-static
trunkport g0/0/7
trunkport g0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 70
LSW2:
#
vlan batch 10 20 30 40 50 60 70 101
#
interface Vlanif10
ip address 10.0.1.11 255.255.255.0
#
interface Vlanif20
ip address 10.0.2.11 255.255.255.0
#
interface Vlanif30
ip address 10.0.3.11 255.255.255.0
#
interface Vlanif40
ip address 10.0.4.11 255.255.255.0
#
interface Vlanif50
ip address 10.0.5.10 255.255.255.0
#
interface Vlanif60
ip address 10.0.6.10 255.255.255.0
#
interface Vlanif70
ip address 10.0.7.10 255.255.255.0
#
interface Vlanif101
ip address 10.0.101.2 255.255.255.0
#
interface Eth-Trunk1
mode lacp-static
trunkport g0/0/7
trunkport g0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 70LSW8:
#
vlan batch 100 to 103
#
interface Eth-Trunk1
mode lacp-static
trunkport g0/0/1
trunkport g0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Eth-Trunk2
mode lacp-static
trunkport g0/0/2
trunkport g0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 103
#
interface Vlanif100
ip address 10.0.10.2 255.255.255.0
#
interface Vlanif101
ip address 10.0.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.0.102.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.1.2 255.255.255.0AR1:
#
interface GigabitEthernet0/0/0
ip address 10.0.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.100.100.1 255.255.255.0AR3:
#
interface GigabitEthernet0/0/0
ip address 192.168.10.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 200.100.101.1 255.255.255.0
AR2:
#
interface GigabitEthernet0/0/1
ip address 200.100.100.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 200.100.101.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 200.100.101.1
ip route-static 0.0.0.0 0.0.0.0 200.100.100.1LSW9:
#
vlan batch 10 20 100
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
#
interface Vlanif10
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0VRRP配置
在公司总部内部部署VRRP实现网关冗余,在LSW1与LSW2上部署,使得PC1-PC4走LSW1,PC5-PC7走LSW2,并监视上行链路。
LSW1:
#
interface Vlanif10
vrrp vrid 1 virtual-ip 10.0.1.254
vrrp vrid 1 priority 105
vrrp vrid 1 track interface Eth-Trunk1
#
interface Vlanif20
vrrp vrid 2 virtual-ip 10.0.2.254
vrrp vrid 2 priority 105
vrrp vrid 2 track interface Eth-Trunk1
#
interface Vlanif30
vrrp vrid 3 virtual-ip 10.0.3.254
vrrp vrid 3 priority 105
vrrp vrid 3 track interface Eth-Trunk1
#
interface Vlanif40
vrrp vrid 4 virtual-ip 10.0.4.254
vrrp vrid 4 priority 105
vrrp vrid 4 track interface Eth-Trunk1
#
interface Vlanif50
vrrp vrid 5 virtual-ip 10.0.5.254
vrrp vrid 5 track interface Eth-Trunk1
#
interface Vlanif60
vrrp vrid 6 virtual-ip 10.0.6.254
vrrp vrid 6 track interface Eth-Trunk1
#
interface Vlanif70
vrrp vrid 7 virtual-ip 10.0.7.254
vrrp vrid 7 track interface Eth-Trunk1LSW2:
#
interface Vlanif10
vrrp vrid 1 virtual-ip 10.0.1.254
vrrp vrid 1 track interface Eth-Trunk1
#
interface Vlanif20
vrrp vrid 2 virtual-ip 10.0.2.254
vrrp vrid 2 track interface Eth-Trunk1
#
interface Vlanif30
vrrp vrid 3 virtual-ip 10.0.3.254
vrrp vrid 3 track interface Eth-Trunk1
#
interface Vlanif40
vrrp vrid 4 virtual-ip 10.0.4.254
vrrp vrid 4 track interface Eth-Trunk1
#
interface Vlanif50
vrrp vrid 5 virtual-ip 10.0.5.254
vrrp vrid 5 priority 105
vrrp vrid 5 track interface Eth-Trunk1
#
interface Vlanif60
vrrp vrid 6 virtual-ip 10.0.6.254
vrrp vrid 6 priority 105
vrrp vrid 6 track interface Eth-Trunk1
#
interface Vlanif70
vrrp vrid 7 virtual-ip 10.0.7.254
vrrp vrid 7 priority 105
vrrp vrid 7 track interface Eth-Trunk1动态NAT
AR1:
#
acl number 2000
rule 5 permit
#
nat address-group 1 200.100.100.3 200.100.100.4
#
interface GigabitEthernet0/0/1
nat outbound 2000 address-group 1 AR3:
#
acl number 2000
rule 5 permit
#
nat address-group 1 200.100.101.5 200.100.101.5
#
interface GigabitEthernet0/0/2
nat outbound 2000 address-group 1 GRE over IPsec隧道
搭建隧道的两端需能ping通,在两端上部署默认路由。
AR1://使用的ike提议以及ipsec提议都默认配置
#
ip route-static 0.0.0.0 0.0.0.0 200.100.100.2
#
ipsec proposal 1
#
ike proposal 1
#
ike peer to_fenbu v1
pre-shared-key simple huawei@123
ike-proposal 1
#
ipsec profile 1
ike-peer to_fenbu
proposal 1
#
interface Tunnel0/0/0
ip address 10.0.20.1 255.255.255.0
tunnel-protocol gre
source 200.100.100.1
destination 200.100.101.1
ipsec profile 1AR3://使用的ike提议以及ipsec提议都默认配置
#
ip route-static 0.0.0.0 0.0.0.0 200.100.101.2
#
ipsec proposal 1
#
ike proposal 1
#
ike peer to_zongbu v1
pre-shared-key simple huawei@123
ike-proposal 1
#
ipsec profile 1
ike-peer to_zongbu
proposal 1
#
interface Tunnel0/0/0
ip address 10.0.20.2 255.255.255.0
tunnel-protocol gre
source 200.100.101.1
destination 200.100.100.1
ipsec profile 1OSPF配置
LSW1:
#
ospf 1 router-id 3.3.3.3
import-route direct
area 0.0.0.0
network 10.0.102.2 0.0.0.0LSW2:
#
ospf 1 router-id 4.4.4.4
import-route direct
area 0.0.0.0
network 10.0.101.2 0.0.0.0LSW8:
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.0.10.0 0.0.0.255
network 10.0.101.1 0.0.0.0
network 10.0.102.1 0.0.0.0
network 172.16.1.2 0.0.0.0AR1:
#
ospf 1 router-id 1.1.1.1
default-route-advertise
area 0.0.0.0
network 10.0.10.0 0.0.0.255
network 10.0.20.0 0.0.0.255 AR3:
#
ospf 1 router-id 5.5.5.5
default-route-advertise
area 0.0.0.0
network 10.0.20.2 0.0.0.0
network 192.168.10.2 0.0.0.0 LSW9:
#
ospf 1 router-id 6.6.6.6
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.10.1 0.0.0.0组播配置
这里只配置了使高级管理层和公司分部能收到组播服务器数据。
LSW8:
#
multicast routing-enable
#
interface Vlanif100
pim dm
#
interface Vlanif101
pim dm
#
interface Vlanif102
pim dm
#
interface Vlanif103
pim dmLSW2:
#
multicast routing-enable
#
interface Vlanif70
pim dm
igmp enable
#
interface Vlanif101
pim dmLSW1:
#
multicast routing-enable
#
interface Vlanif70
pim dm
igmp enable
#
interface Vlanif102
pim dm
AR1:
#
multicast routing-enable
#
interface GigabitEthernet0/0/0
pim dm
#
interface Tunnel0/0/0
pim dmAR3:
#
multicast routing-enable
#
interface GigabitEthernet0/0/0
pim dm
#
interface Tunnel0/0/0
pim dmLSW9:
#
multicast routing-enable
#
interface Vlanif10
pim dm
igmp enable
#
interface Vlanif20
pim dm
igmp enable
#
interface Vlanif100
pim dm测试
测试公司总舵内部连通性,在LSW1的G0/0/1端口抓包和在LSW2的G0/0/1端口抓包信息可看出PC1 ping PC7的请求包走的LSW1,回传包走的LSW2。
LSW1的G0/0/1端口抓包
LSW2的G0/0/1端口抓包
测试nat,内部网络访问外部网络时,私有地址转换成nat地址池的200.100.100.3去访问。
在测试公司总部网络访问公司分部网络,数据流走的是VPN隧道,且数据是被加密的。
测试,运行组播服务器,在公司总部管理层PC7加入组播组,分公司PC8加入组播组,可以看到,组播数据通过隧道实现与分公司的视频实时传播。
本文含有隐藏内容,请 开通VIP 后查看