RIP+bfd+IPSec+单臂路由

拓扑图

Huawei-RIP+bfd+IPSec+单臂路由_rip

IP地址规划表

设备

端口

IP地址

DX

GE0/0/0

218.63.0.1/28

DX

GE0/0/1

172.16.10.1/28

LT

GE0/0/0

221.137.0.1/28

JYW

GE0/0/0

210.25.0.1/28

分校

GE0/0/0

172.16.10.2/28

分校

GE0/0/1

192.168.20.1/24

R1

Vlanif8

10.8.0.1/24

R1

Vlanif10

10.10.0.1/24

R1

GE0/0/0

10.21.0.1/30

R1

GE0/0/1

10.13.0.1/30

R2

GE0/0/0

10.21.0.2/30

R2

GE0/0/1

10.24.0.1/30

R2

GE0/0/2

10.100.0.2/24

R3

Vlanif3

10.3.0.1/24

R3

Vlanif4

10.4.0.1/24

R3

GE0/0/0

10.13.0.2/24

R3

GE0/0/1

10.34.0.1/30

R4

GE0/0/0

10.34.0.2/30

R4

GE0/0/1

10.24.0.2/30

R4

GE4/0/0

218.63.0.2/28

R4

GE4/0/1

221.137.0.4/28

R4

GE4/0/2

210.25.0.4/28

主机

所属Vlan

IP地址

网关

PC1

Vlanif10

10.10.0.2/24

10.10.0.1/24

PC2

Vlanif8

10.8.0.2/24

10.8.0.1/24

PC3

Vlanif3

10.3.0.2/24

10.3.0.1/24

PC4

Vlanif4

10.4.0.2/24

10.4.0.1/24

PC5

10.100.0.2/24

10.100.0.1/24

PC8

192.168.20.2/24

192.168.20.1/24

设备

loopback接口

IP地址

R1

loopback 0

1.1.1.1/32

R2

loopback 0

2.2.2.2/32

R3

loopback 0

3.3.3.3/32

R4

loopback 0

4.4.4.4/32

DX

loopback 0

5.5.5.5/32

LT

loopback 0

6.6.6.6/32

JYW

loopback 0

7.7.7.7/32

配置IP地址:

R1

[R1]interface LoopBack 0

[R1-LoopBack0]ip address 1.1.1.1 255.255.255.255

[R1]interface GigabitEthernet 0/0/0

[R1-GigabitEthernet0/0/0]ip address 10.21.0.1 255.255.255.252

[R1]interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1]ip address 10.13.0.1 255.255.255.252


R2

[R2]interface LoopBack 0

[R2-LoopBack0]ip address 2.2.2.2 255.255.255.255

[R2]interface GigabitEthernet 0/0/0

[R2-GigabitEthernet0/0/0]ip address 10.21.0.2 255.255.255.252

[R2]interface GigabitEthernet 0/0/1

[R2-GigabitEthernet0/0/1]ip address 10.24.0.1 255.255.255.252

[R2]interface GigabitEthernet 0/0/0

[R2-GigabitEthernet0/0/2]ip address 10.100.0.1 255.255.255.0


R3

[R3]interface LoopBack 0

[R3-LoopBack0]ip address 3.3.3.3 255.255.255.255

[R3]interface GigabitEthernet 0/0/0

[R3-GigabitEthernet0/0/0]ip address 10.13.0.2 255.255.255.252

[R3]interface GigabitEthernet 0/0/1

[R3-GigabitEthernet0/0/1]ip address 10.34.0.1 255.255.255.252


R4

[R4]interface LoopBack 0

[R4-LoopBack0]ip address 4.4.4.4 255.255.255.255

[R4]interface GigabitEthernet 0/0/0

[R4-GigabitEthernet0/0/0]ip address 10.34.0.2 255.255.255.252

[R4]interface GigabitEthernet 0/0/1

[R4-GigabitEthernet0/0/1]ip address 10.24.0.2 255.255.255.252

[R4]interface GigabitEthernet 4/0/0

[R4-GigabitEthernet4/0/0]ip address 218.63.0.2 255.255.255.240

[R4]interface GigabitEthernet 4/0/1

[R4-GigabitEthernet4/0/1]ip address 221.137.0.4 255.255.255.240

[R4]interface GigabitEthernet 4/0/2

[R4-GigabitEthernet4/0/2]ip address 210.25.0.4 255.255.255.240


DX

[DX]interface LoopBack 0

[DX-LoopBack0]ip address 5.5.5.5 255.255.255.255

[DX]interface GigabitEthernet 0/0/0

[DX-GigabitEthernet0/0/0]ip address 218.63.0.1 255.255.255.240


LT

[LT]interface LoopBack 0

[LT-LoopBack0]ip address 6.6.6.6 255.255.255.255

[LT]interface GigabitEthernet 0/0/0

[LT-GigabitEthernet0/0/0]ip address 221.137.0.1 255.255.255.240

JYW

[JYW]interface LoopBack 0

[JYW-LoopBack0]ip address 7.7.7.7 255.255.255.255

[JYW]interface GigabitEthernet 0/0/0

[JYW-GigabitEthernet0/0/0]ip address 210.25.0.1 255.255.255.240


PC1

Huawei-RIP+bfd+IPSec+单臂路由_ipsec_02

PC2

Huawei-RIP+bfd+IPSec+单臂路由_bfd_03

PC3

Huawei-RIP+bfd+IPSec+单臂路由_流策略_04

PC4

Huawei-RIP+bfd+IPSec+单臂路由_rip_05

PC5

Huawei-RIP+bfd+IPSec+单臂路由_单臂路由_06

PC5是直连的,不用怎么配置,但PC1、PC2、PC3和PC4分别连接R1和R3,一个路由器连接了两个vlan,所以R1和R3分别做单臂路由。(配置如下)

R1的单臂路由配置

SW2

[SW2]vlan batch 10 8

[SW2]interface Ethernet 0/0/1

[SW2-Ethernet0/0/1]port link-type trunk

[SW2-Ethernet0/0/1] port trunk allow-pass vlan 8 10

[SW2]interface Ethernet 0/0/2

[SW2-Ethernet0/0/2]port link-type access

[SW2-Ethernet0/0/2]port default vlan 8

[SW2]interface Ethernet 0/0/3

[SW2-Ethernet0/0/3]port link-type access

[SW2-Ethernet0/0/3]port default vlan 10


R1

[R1]interface GigabitEthernet 0/0/2.1

[R1-GigabitEthernet0/0/2.1]ip address 10.10.0.1 255.255.255.0

[R1-GigabitEthernet0/0/2.1]dot1q termination vid 10

[R1-GigabitEthernet0/0/2.1]arp broadcast enable

[R1]interface GigabitEthernet 0/0/2.2

[R1-GigabitEthernet0/0/2.2]ip address 10.8.0.1 255.255.255.0

[R1-GigabitEthernet0/0/2.2]dot1q termination vid 8

[R1-GigabitEthernet0/0/2.2]arp broadcast enable


R3的单臂路由配置

SW3

[SW3]vlan batch 3 4

[SW3]interface Ethernet 0/0/1

[SW3-Ethernet0/0/1]port link-type trunk

[SW3-Ethernet0/0/1] port trunk allow-pass vlan 3 4

[SW3]interface Ethernet 0/0/2

[SW3-Ethernet0/0/2]port link-type access

[SW3-Ethernet0/0/2]port default vlan 3

[SW3]interface Ethernet 0/0/3

[SW3-Ethernet0/0/3]port link-type access

[SW3-Ethernet0/0/3]port default vlan 4


R1

[R3]interface GigabitEthernet 0/0/2.1

[R3-GigabitEthernet0/0/2.1]ip address 10.3.0.1 255.255.255.0

[R3-GigabitEthernet0/0/2.1]dot1q termination vid 3

[R3-GigabitEthernet0/0/2.1]arp broadcast enable

[R3]interface GigabitEthernet 0/0/2.2

[R3-GigabitEthernet0/0/2.2]ip address 10.4.0.1 255.255.255.0

[R3-GigabitEthernet0/0/2.2]dot1q termination vid 4

[R3-GigabitEthernet0/0/2.2]arp broadcast enable


R1、R2、R3和R4配置RIPv2.0和bfd

R1

[R1]bfd

[R1-bfd]qu

[R1]router id 1.1.1.1

[R1]rip

[R1-rip-1]network 1.0.0.0

[R1-rip-1]network 10.0.0.0

[R1-rip-1]version 2

[R1-rip-1]undo summary

[R1-rip-1]bfd all-interfaces enable

[R1-rip-1] bfd all-interfaces min-rx-interval 10 detect-multiplier 10


R2

[R2]bfd

[R2-bfd]qu

[R]router id 2.2.2.2

[R2]rip

[R2-rip-1]network 2.0.0.0

[R2-rip-1]network 10.0.0.0

[R2-rip-1]version 2

[R2-rip-1]undo summary

[R2-rip-1]bfd all-interfaces enable

[R2-rip-1] bfd all-interfaces min-rx-interval 10 detect-multiplier 10


R3

[R3]bfd

[R3-bfd]qu

[R3]router id 3.3.3.3

[R3]rip

[R3-rip-1]network 3.0.0.0

[R3-rip-1]network 10.0.0.0

[R3-rip-1]version 2

[R3-rip-1]undo summary

[R3-rip-1]bfd all-interfaces enable

[R3-rip-1] bfd all-interfaces min-rx-interval 10 detect-multiplier 10


R4

[R4]bfd

[R4-bfd]qu

[R4]router id 4.4.4.4

[R4]rip

[R4-rip-1]network 4.0.0.0

[R4-rip-1]network 10.0.0.0

[R4-rip-1]version 2

[R4-rip-1]default-route originate (默认路由引入)

[R4-rip-1]undo summary

[R4-rip-1]bfd all-interfaces enable

[R4-rip-1] bfd all-interfaces min-rx-interval 10 detect-multiplier 10


要求PC1访问Internet时导向联通网络,禁止PC3在工作日8:00至18:00访问电信网络。

R4

创建用于PC1策略的ACL:

[R4]acl 2000

[R4-acl-basic-2000]rule permit source 10.10.0.2 0

[R4-acl-basic-2000]quit

创建用于PC3策略的ACL:

[R4]time-range satime 8:00 to 18:00 working-day

[R4]acl 3000

[R4-acl-adv-3000]rule 5 deny ip source 10.3.0.2 0 destination 218.63.0.0 240.255.255.255 time-range satime

[R4]traffic classifier 1

[R4-classifier-1]if-match acl 2000

[R4]traffic classifier 3

[R4-classifier-3]if-match acl 3000

在路由器R4上创建流行为并配置重定向:

[R4]traffic behavior 1

[R4-behavior-1]redirect ip-nexthop 211.137.0.1

[R4]traffic behavior 3

[R4-behavior-3]deny

创建流策略,并在接口上应用(仅列出了R4上GigabitEthernet 0/0/0接口的配置):

[R4]traffic policy 1

[R4-trafficpolicy-1]classifier 1 behavior 1

[R4-trafficpolicy-1]classifier 3 behavior 3

[R4]interface GigabitEthernet0/0/0

[R4-GigabitEthernet0/0/0]traffic-policy 1 inbound

[R4]ip route-static 0.0.0.0 0.0.0.0 218.63.0.1 (写入rip协议看上面rip的配置,做ipsec的时候需要添加。)

[R4]ip route-static 172.16.10.0 28 218.63.0.1 (与FX相连)


DX

[DX]ip route-static 10.0.0.0 8 218.63.0.2


LT

[LT]ip route-static 10.10.0.0 255.255.255.0 221.137.0.4 (静态路由允许10.10.0.0/24的网段到达221.137.0.0的网段)


配置使用ike协商方式的IPSec隧道,实现校分部的192.168.20.0/24网段与校本部的10.100.0.0/24网段通信


ipsec vpn的配置命令:

分校(设备名称:FX)的配置命令

[FX]ip route-static 0.0.0.0 0.0.0.0 172.16.10.1(连接DX)

[FX]ip route-static 218.63.0.0 28 172.16.10.1(与R4相连)

[FX]acl 3101

[FX-acl-adv-3101]rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 10.100.0.0 0.0.0.255

[FX]ipsec proposal tranl

[FX-ipsec-proposal-tranl]esp authentication-algorithm sha2-256

[FX-ipsec-proposal-tranl]esp encryption-algorithm aes-128

[FX]ike proposal 5

[FX-ike-proposal-5]encryption-algorithm aes-cbc-128

[FX-ike-proposal-5]authentication-algorithm sha1

[FX-ike-proposal-5]dh group14

[FX]ike peer spub v1

[FX-ike-peer-spub]pre-shared-key cipher huawei@123

[FX-ike-peer-spub]ike-proposal 5

[FX-ike-peer-spub]remote-address 218.63.0.2

[FX]ipsec policy map1 10 isakmp

[FX-ipsec-policy-isakmp-map1-10]security acl 3101

[FX-ipsec-policy-isakmp-map1-10]ike-peer spub

[FX-ipsec-policy-isakmp-map1-10]proposal tranl

[FX]interface GigabitEthernet0/0/0

[FX-GigabitEthernet0/0/0]ipsec policy map1


R4的配置命令:

[R4]acl 3101

[R4-acl-adv-3101]rule 5 permit ip source 10.100.0.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[R4]ipsec proposal tranl

[R4-ipsec-proposal-tranl]esp authentication-algorithm sha2-256

[R4-ipsec-proposal-tranl]esp encryption-algorithm aes-128

[R4]ike proposal 5

[R4-ike-proposal-5]encryption-algorithm aes-cbc-128

[R4-ike-proposal-5]authentication-algorithm sha1

[R4-ike-proposal-5]dh group14

[R4]ike peer spua v1

[R4-ike-peer-spua]pre-shared-key cipher huawei@123

[R4-ike-peer-spua]ike-proposal 5

[R4-ike-peer-spua]remote-address 172.16.10.2

[R4]ipsec policy use1 10 isakmp

[R4-ipsec-policy-isakmp-use1-10]security acl 3101

[R4-ipsec-policy-isakmp-use1-10]ike-peer spua

[R4-ipsec-policy-isakmp-use1-10]proposal tranl

[R4]interface GigabitEthernet0/0/0

[R4-GigabitEthernet0/0/0]ipsec policy use1

配置完成后的效果:

现在是工作日星期二8:54,PC3访问路由器DX的218.63.0.1的IP不通,(被流策略拦截),PC4没做流策略可以正常访问。

Huawei-RIP+bfd+IPSec+单臂路由_rip_07

ipsec vpn由PC8和PC5互相访问

PC8访问PC5,PC8追踪PC5的网络(tracert的命令)

Huawei-RIP+bfd+IPSec+单臂路由_rip_08

抓包:

Huawei-RIP+bfd+IPSec+单臂路由_rip_09

单臂路由的完成结果:

PC1和PC2互相访问:

Huawei-RIP+bfd+IPSec+单臂路由_ipsec_10

PC3和PC4互相访问:

Huawei-RIP+bfd+IPSec+单臂路由_bfd_11

BFD的结果:

R1

Huawei-RIP+bfd+IPSec+单臂路由_rip_12

R2

Huawei-RIP+bfd+IPSec+单臂路由_单臂路由_13

R3

Huawei-RIP+bfd+IPSec+单臂路由_rip_14

R4

Huawei-RIP+bfd+IPSec+单臂路由_ipsec_15