***技術—gre(虛擬專用網絡)
實驗器材:
一臺防火牆(h3c),一臺路由器做防火牆用(Router),一臺路由器,兩臺pc機
GRE介紹:
GRE(Generic Routing Encapsulation)通用路由封裝:是對某些網絡層協議(如IP和IPX)的報文進行封裝,使這些被封裝的報文能夠在另一網絡層協議(如IP)中傳輸。GRE可以作爲第三層隧道協議,在協議層之間採用隧道(Tunnel)技術。Tunnel是一個虛擬的點對點的連接,可以看成僅支持點對點連接的虛擬接口,這個接口提供了一條通路,使封裝的數據報能夠在這個通路上傳輸,並在一個Tunnel的兩端分別對數據報進行封裝及解封裝。
配置防火牆1:
[H3C]inter eth0/1
[H3C-Ethernet0/1]ip address 192.168.1.254 24
[H3C-Ethernet0/1]inter eth0/0
[H3C-Ethernet0/0]ip address 61.30.130.1 24
[H3C-Ethernet0/0]quit
[H3C]firewal zone trust
[H3C-zone-trust]add interface eth0/1(加入區域)(一般情況下,防火牆默認端口e0/0加入trust區域)
[H3C-zone-trust]quit
[H3C]fire zone untrust
[H3C-zone-untrust]add interface eth0/0 (加入區域)
[H3C]fire zone untrust
[H3C-zone-untrust]add inter tunnel 10
[H3C]ip route 0.0.0.0 0 61.130.130.2(做靜態路由)
開始在防火牆1上加隧道:
[H3C]inter Tunnel 10
[H3C-Tunnel10]ip address 192.168.3.1 24(ip地址)
[H3C-Tunnel10]tunnel-protocol gre(採用gre)
[H3C-Tunnel10]source 61.130.130.1(定義源地址)
[H3C-Tunnel10]dest
[H3C-Tunnel10]destination 61.130.131.1(定義目的地址)
[H3C]ip route-static 192.168.2.0 24 192.168.3.2(做路由)
配置R2:
[r1]inter e0
[r1-Ethernet0]ip address 61.130.130.2 24
[r1-Ethernet0]inter e1
[r1-Ethernet1]ip address 61.130.131.2 24
配置防火牆2:
[Router]inter e1
[Router-Ethernet1]ip address 61.130.131.1 24
[Router-Ethernet1]
%01:48:37: Line protocol ip on the interface Ethernet1 is UP
[Router-Ethernet1]inter e0
[Router-Ethernet0]ip address 192.168.2.254 24
[Router]inter tunnel 20
[Router-Tunnel20]ip address 192.168.3.2 24
[Router-Tunnel20]source 61.130.131.1
[Router-Tunnel20]destination 61.130.130.1
[Router-Tunnel20]quit
[Router]
[Router]
[Router]ip route 0.0.0.0 0 61.130.131.2
[Router]
%01:55:32: Line protocol ip on the interface Tunnel20 is UP
[Router]ip route 192.168.1.0 24 192.168.3.1
[Router]
查看防火牆2路由表:
[Router]dis ip rout
Routing Tables:
Destination/Mask Proto Pref Metric Nexthop Interface
0.0.0.0/0 Static 60 0 61.130.131.2 Ethernet1
61.130.131.0/24 Direct 0 0 61.130.131.1 Ethernet1
61.130.131.1/32 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.0/8 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.0/24 Static 60 0 192.168.3.1 Tunnel20
192.168.3.0/24 Direct 0 0 192.168.3.2 Tunnel20
192.168.3.2/32 Direct 0 0 127.0.0.1 LoopBack0
防火牆1上查看路由信息:
[H3C]dis ip rout
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 61.130.130.2 Ethernet0/0
61.130.130.0/24 DIRECT 0 0 61.130.130.1 Ethernet0/0
61.130.130.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 STATIC 60 0 192.168.3.2 Tunnel10
192.168.3.0/24 DIRECT 0 0 192.168.3.1 Tunnel10
192.168.3.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
可以看出各個網段的路由都有。
用本地主機192.168.2.100 ping 與防火牆相連的192.168.1.100主機:
C:\Users\Administrator>ping 192.168.1.100
正在 Ping 192.168.1.100 具有 32 字節的數據:
來自 192.168.1.100 的回覆: 字節=32 時間=8ms TTL=62
來自 192.168.1.100 的回覆: 字節=32 時間=3ms TTL=62
來自 192.168.1.100 的回覆: 字節=32 時間=3ms TTL=62
來自 192.168.1.100 的回覆: 字節=32 時間=2ms TTL=62
192.168.1.100 的 Ping 統計信息:
數據包: 已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失),
往返行程的估計時間(以毫秒爲單位):
最短 = 2ms,最長 = 8ms,平均 = 4ms
C:\Users\Administrator>
可以通。