L2L ***實現 hub-spoken 互聯方式
作者:Cedric CCIE#25467
網絡拓撲結構如上
今天我們講述如何實現HUB-SPOKEN結構的L2L訪問
R1爲HUB端 R2,R3爲SPOKEN端。
R1#sh run
Building configuration...
Current configuration : 1481 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 123 address 20.1.1.1
crypto isakmp key 123 address 30.1.1.1
!
!
crypto ipsec transform-set 321 esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10
set peer 20.1.1.1
set peer 30.1.1.1
set transform-set 321
!
!
crypto map cisco 10 ipsec-isakmp dynamic dymap
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no switchport
ip address 10.1.1.1 255.255.255.0
crypto map cisco
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
no ip address
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
R1#
R1#
R1#
R1#sh cry en conn a
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 10.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2 FastEthernet0/0 10.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2001 FastEthernet0/0 10.1.1.1 set DES+MD5 0 5
2002 FastEthernet0/0 10.1.1.1 set DES+MD5 5 0
2003 FastEthernet0/0 10.1.1.1 set DES+MD5 0 5
2004 FastEthernet0/0 10.1.1.1 set DES+MD5 5 0
R2>en
R2#sh run
Building configuration...
Current configuration : 1463 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 123 address 10.1.1.1
!
!
crypto ipsec transform-set 321 esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set 321
match address ***
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no switchport
ip address 20.1.1.1 255.255.255.0
crypto map cisco
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
no ip address
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
!
ip access-list extended ***
permit ip host 2.2.2.2 host 1.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#sh cry is sa
dst src state conn-id slot status
10.1.1.1 20.1.1.1 QM_IDLE 1 0 ACTIVE
R2#
R2#sh cry ip sa
interface: FastEthernet0/0
Crypto map tag: cisco, local addr 20.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 20.1.1.1, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xE21AADC8(3793399240)
inbound esp sas:
spi: 0xDC63BE9D(3697524381)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4518374/2756)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE21AADC8(3793399240)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4518374/2756)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#
R2#
R2#
R2#
R2#sh cry en conn a
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 20.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2001 FastEthernet0/0 20.1.1.1 set DES+MD5 0 5
2002 FastEthernet0/0 20.1.1.1 set DES+MD5 5 0
R3#sh run
Building configuration...
Current configuration : 1463 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 123 address 10.1.1.1
!
!
crypto ipsec transform-set 321 esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set 321
match address ***
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
no switchport
ip address 30.1.1.1 255.255.255.0
crypto map cisco
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
no ip address
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
!
ip access-list extended ***
permit ip host 3.3.3.3 host 1.1.1.1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
R3#
R3#
R3#
R3#
R3#sh cry is sa
dst src state conn-id slot status
10.1.1.1 30.1.1.1 QM_IDLE 1 0 ACTIVE
R3#
R3#
R3#
R3#
R3#sh cry ip sa
interface: FastEthernet0/0
Crypto map tag: cisco, local addr 30.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 0
local crypto endpt.: 30.1.1.1, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x80BEEF5D(2159996765)
inbound esp sas:
spi: 0x4B276839(1260873785)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4519227/2825)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x80BEEF5D(2159996765)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4519227/2824)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#
R3#
R3#
R3#
R3#
R3#sh cry en conn a
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 30.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2001 FastEthernet0/0 30.1.1.1 set DES+MD5 0 5
2002 FastEthernet0/0 30.1.1.1 set DES+MD5 5 0
所有配置如上,這樣就能實現L2L的HUB SPOKEN訪問
當然,有個前提需要注意:這樣的拓撲只能由SPOKEN端先發起訪問 HUB端先訪問SPOKEN是不能實現的,原因是他那裏沒有寫ACL 不能抓匹配的感興趣流
而當SPOKEN先和HUB協商建立以後(包括第一、第二階段協商),HUB端訪問SPOKEN端就有匹配的條目了
附加問題:可以考慮下如何實現HUB也能主動協商SPOKEN端
能否實現全互聯的L2L ***
當R2的loopback口爲2.2.2.2/32 當R3 lookback口爲2.2.3.3/16 結構怎麼實現 有什麼現象
最後,感謝上海WOLF的楊老師