网络设备配置-白红宇

拓扑图：

测试：

R1:

98.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 98.66.78.66/32 is directly connected, Serial1/0

C 98.66.78.64/26 is directly connected, Serial1/0

172.16.0.0/24 is subnetted, 1 subnets

O IA 172.16.100.0 [110/3] via 10.1.1.1, 02:21:07, FastEthernet0/0

10.0.0.0/30 is subnetted, 4 subnets

O IA 10.1.1.8 [110/2] via 10.1.1.1, 02:21:07, FastEthernet0/0

O IA 10.1.1.12 [110/2] via 10.1.1.1, 02:21:07, FastEthernet0/0

C 10.1.1.0 is directly connected, FastEthernet0/0

O IA 10.1.1.4 [110/2] via 10.1.1.1, 02:07:10, FastEthernet0/0

192.168.16.0/26 is subnetted, 4 subnets

O IA 192.168.16.64 [110/3] via 10.1.1.1, 02:21:07, FastEthernet0/0

O IA 192.168.16.0 [110/3] via 10.1.1.1, 02:21:07, FastEthernet0/0

O IA 192.168.16.192 [110/3] via 10.1.1.1, 02:21:08, FastEthernet0/0

O IA 192.168.16.128 [110/3] via 10.1.1.1, 02:21:08, FastEthernet0/0

O IA 192.168.100.0/24 [110/3] via 10.1.1.1, 02:21:08, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, Serial1/0

r1#

r1#SH CRY IS SA

注意：因为有

NAT

，所以不能配置

AH

参数！！！

dst src state conn-id slot

98.66.78.66 98.66.78.65 QM_IDLE 1 0

r1#

R2:

96.0.0.0/29 is subnetted, 1 subnets

C 96.86.68.16 is directly connected, Serial1/0

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.16.10/32 is directly connected, Virtual-Access2.1

O IA 172.16.100.0/24 [110/3] via 10.1.1.5, 02:08:19, FastEthernet0/0

10.0.0.0/30 is subnetted, 4 subnets

O IA 10.1.1.8 [110/2] via 10.1.1.5, 02:08:19, FastEthernet0/0

O IA 10.1.1.12 [110/2] via 10.1.1.5, 02:08:19, FastEthernet0/0

O IA 10.1.1.0 [110/2] via 10.1.1.5, 02:08:19, FastEthernet0/0

C 10.1.1.4 is directly connected, FastEthernet0/0

192.168.16.0/26 is subnetted, 4 subnets

O IA 192.168.16.64 [110/3] via 10.1.1.5, 02:08:19, FastEthernet0/0

O IA 192.168.16.0 [110/3] via 10.1.1.5, 02:08:19, FastEthernet0/0

O IA 192.168.16.192 [110/3] via 10.1.1.5, 02:08:20, FastEthernet0/0

O IA 192.168.16.128 [110/3] via 10.1.1.5, 02:08:20, FastEthernet0/0

O IA 192.168.100.0/24 [110/3] via 10.1.1.5, 02:08:20, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, FastEthernet0/0

r2#

r2#SH IP INT B

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.1.1.6 YES manual up up

Serial1/0 96.86.68.17 YES manual up up

Serial1/1 unassigned YES unset administratively down down

Serial1/2 unassigned YES unset administratively down down

Serial1/3 unassigned YES unset administratively down down

Virtual-Access1 unassigned YES unset down down

Virtual-Template1 10.1.1.6 YES TFTP down down

Virtual-Access2 unassigned YES unset up up

Virtual-Access2.1 10.1.1.6 YES TFTP up up

r2#

r2#sh vpdn

%No active L2F tunnels

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/

VPDN Group

56280 18757 r3 est 96.86.68.18 1701 1 l2tp

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

2 2 56280 l2tp, Vi2.1 est 00:46:15 1

%No active PPTP tunnels

外网用户拨入测试：

R3:

98.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 98.66.78.64/26 is directly connected, Serial1/0

C 98.66.78.65/32 is directly connected, Serial1/0

96.0.0.0/28 is subnetted, 1 subnets

C 96.86.68.16 is directly connected, Serial1/1

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.16.16.10/32 is directly connected, Virtual-PPP1

C 172.16.1.0/24 is directly connected, FastEthernet0/0

C 172.16.2.0/24 is directly connected, FastEthernet2/0

10.0.0.0/32 is subnetted, 1 subnets

C 10.1.1.6 is directly connected, Virtual-PPP1

C 192.168.1.0/24 is directly connected, FastEthernet3/0

r3#sh ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.1.1 YES NVRAM up up

Serial1/0 98.66.78.66 YES NVRAM up up

Serial1/1 96.86.68.18 YES NVRAM up up

Serial1/2 unassigned YES NVRAM administratively down down

Serial1/3 unassigned YES NVRAM administratively down down

FastEthernet2/0 172.16.2.1 YES NVRAM up up

FastEthernet3/0 192.168.1.2 YES manual up up

Virtual-PPP1 172.16.16.10 YES IPCP up up

r3#r3#SH CRY IS SA

dst src state conn-id slot

98.66.78.66 98.66.78.65 QM_IDLE 1 0

r3#

r3#SH IP INT B

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.1.1 YES manual up up

Serial1/0 98.66.78.66 YES manual up up

Serial1/1 96.86.68.18 YES manual up up

Serial1/2 unassigned YES unset administratively down down

Serial1/3 unassigned YES unset administratively down down

FastEthernet2/0 172.16.2.1 YES manual up up

Virtual-PPP1 172.16.16.10 YES IPCP up up

r3#

R4:

172.16.0.0/24 is subnetted, 1 subnets

O 172.16.100.0 [110/2] via 10.1.1.10, 02:24:34, FastEthernet2/0

10.0.0.0/30 is subnetted, 4 subnets

C 10.1.1.8 is directly connected, FastEthernet2/0

C 10.1.1.12 is directly connected, FastEthernet3/0

C 10.1.1.0 is directly connected, FastEthernet0/0

C 10.1.1.4 is directly connected, FastEthernet1/0

192.168.16.0/26 is subnetted, 4 subnets

O 192.168.16.64 [110/2] via 10.1.1.10, 02:24:34, FastEthernet2/0

O 192.168.16.0 [110/2] via 10.1.1.10, 02:24:34, FastEthernet2/0

O 192.168.16.192 [110/2] via 10.1.1.10, 02:24:34, FastEthernet2/0

O 192.168.16.128 [110/2] via 10.1.1.10, 02:24:34, FastEthernet2/0

O 192.168.100.0/24 [110/2] via 10.1.1.14, 02:24:34, FastEthernet3/0

O*E2 0.0.0.0/0 [110/1] via 10.1.1.6, 02:09:18, FastEthernet1/0

[110/1] via 10.1.1.2, 02:09:18, FastEthernet0/0

r4#

R5:

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.100.0 is directly connected, Vlan100

10.0.0.0/30 is subnetted, 4 subnets

C 10.1.1.8 is directly connected, FastEthernet0/0

O IA 10.1.1.12 [110/2] via 10.1.1.9, 02:24:42, FastEthernet0/0

O IA 10.1.1.0 [110/2] via 10.1.1.9, 02:23:36, FastEthernet0/0

O IA 10.1.1.4 [110/2] via 10.1.1.9, 02:09:35, FastEthernet0/0

192.168.16.0/26 is subnetted, 4 subnets

C 192.168.16.64 is directly connected, Vlan20

C 192.168.16.0 is directly connected, Vlan10

C 192.168.16.192 is directly connected, Vlan40

C 192.168.16.128 is directly connected, Vlan30

O IA 192.168.100.0/24 [110/3] via 10.1.1.9, 02:24:47, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 10.1.1.9, 02:09:26, FastEthernet0/0

r5#

R6:

172.16.0.0/24 is subnetted, 1 subnets

O IA 172.16.100.0 [110/3] via 10.1.1.13, 02:25:00, FastEthernet0/0

10.0.0.0/30 is subnetted, 4 subnets

O IA 10.1.1.8 [110/2] via 10.1.1.13, 02:25:00, FastEthernet0/0

C 10.1.1.12 is directly connected, FastEthernet0/0

O IA 10.1.1.0 [110/2] via 10.1.1.13, 02:23:54, FastEthernet0/0

O IA 10.1.1.4 [110/2] via 10.1.1.13, 02:09:54, FastEthernet0/0

192.168.16.0/26 is subnetted, 4 subnets

O IA 192.168.16.64 [110/3] via 10.1.1.13, 02:25:00, FastEthernet0/0

O IA 192.168.16.0 [110/3] via 10.1.1.13, 02:25:00, FastEthernet0/0

O IA 192.168.16.192 [110/3] via 10.1.1.13, 02:25:00, FastEthernet0/0

O IA 192.168.16.128 [110/3] via 10.1.1.13, 02:25:00, FastEthernet0/0

C 192.168.100.0/24 is directly connected, Vlan50

O*E2 0.0.0.0/0 [110/1] via 10.1.1.13, 02:09:44, FastEthernet0/0

r6#

VPC:

NAT

：

注意：在配置

NAT

转换时，因为

R1

和

R2

分别了配置

ipsec vpn/l2tp vpn

，所以在匹配

ACL

时，要先把去

VPN

的流量

deny

掉，再配置允许的流量！！！

R1:

access-list 151 deny ip 192.168.16.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 151 permit ip 192.168.16.0 0.0.0.127 any

access-list 152 deny ip 192.168.16.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 152 permit ip 192.168.16.64 0.0.0.63 any

access-list 152 permit ip 192.168.16.128 0.0.0.63 any

ip nat pool 1 98.66.78.67 98.66.78.76 netmask 255.255.255.192

ip nat pool 2 98.66.78.78 98.66.78.87 netmask 255.255.255.192

ip nat inside source list 151 pool 1

ip nat inside source list 152 pool 2

ip nat inside source static tcp 192.168.100.10 21 98.66.78.88 2121 extendable

ip nat inside source static tcp 192.168.100.10 80 98.66.78.89 8080 extendable

interface FastEthernet0/0

ip nat inside

interface Serial1/0

ip nat outside

R2

：

access-list 151 deny ip 192.168.16.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 151 permit ip 192.168.16.0 0.0.0.127 any

access-list 152 deny ip 192.168.16.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 152 permit ip 192.168.0.0 0.0.0.63 any

access-list 152 permit ip 192.168.0.128 0.0.0.63 any

ip nat pool 1 96.86.68.19 96.86.68.22 netmask 255.255.255.240

ip nat pool 2 96.86.68.23 96.86.68.28 netmask 255.255.255.240

ip nat inside source list 151 pool 1

ip nat inside source list 152 pool 2

ip nat inside source static tcp 192.168.100.10 21 96.86.68.29 2121 extendable

ip nat inside source static tcp 192.168.100.10 80 96.86.68.30 8080 extendable

interface FastEthernet0/0

ip nat inside

interface Serial1/0

ip nat outside

R1

路由器的 NAT

测试：

如上两个 NAT

地址池分别对应不同的内网网段！下面是 R2

路由器的 NAT

测试，因为配置了 PBR

（策略路由）所以在测试 R2

路由器的 NAT

时，要先把连着 R1

路由器的接口先关掉！

如上， R2

的路由器的 2

个地址池也对应不同的内网网段，映射成功！

总公司服务器映射到外网测试：

通过 R1

映射：

外网的主机 192.168.1.4

可以通过浏览器访问内网的 WWW

服务！

通过 R2

映射：

外网主机也可以通过 R2

的映射访问总公司的 WWW

服务！

分公司服务器测试：

可以看到分公司的服务也配置成功了！

如下是分公司服务器的配置：

现在测试分公司处的策略路由：

r3(config)#acc 161 per ip 172.16.0.0 0.0.255.255 192.168.16.0 0.0.0.127

r3(config)#acc 162 per ip 172.16.0.0 0.0.255.255 192.168.16.128 0.0.0.127

r3(config)#route-ma pbr

r3(config-route-map)#ma ip add 161

r3(config-route-map)#se ip nex 98.66.78.65

r3(config-route-map)#route-ma pbr 20

r3(config-route-map)#ma ip add 162

r3(config-route-map)#se ip nex 96.86.68.17

r3(config)#int f0/0

r3(config-if)#ip po rou

r3(config-if)#ip po route-map pbr

r3(config-if)#int f2/0

r3(config-if)#ip po route-map pbr

r3(config-if)#end

总公司的策略路由测试：

hostname r4

interface FastEthernet3/0

ip policy route-map pbr

access-list 100 permit ip 192.168.16.0 0.0.0.127 any

access-list 110 permit ip 192.168.16.128 0.0.0.127 any

access-list 130 permit ip 192.168.16.64 0.0.0.63 any

route-map pbr permit 10

match ip address 100

set ip next-hop 10.1.1.2

!

route-map pbr permit 20

match ip address 130

match length 1000 1500

set ip next-hop 10.1.1.6

!

route-map pbr permit 30

match ip address 110

set ip next-hop 10.1.1.6

如上配置成功 ,

要先把 R4

的走 R1

的接口关掉，再 tracert,

如上的 ***

是走 L2TP

隧道！。

VPN

测试：

配置 ipsec

时，如果题目就有指定流量，就配置 permit ip any any

就好。

本文转自810105851 51CTO博客，原文链接：http://blog.51cto.com/4708948/1133750

，如需转载请自行联系原作者