三層架構
使用到的技術:
多區域 ospf
dhcp
nat
端口映射
gre over ipsec
配置前,驗證兩端是否互通
需求
接入層
jieruA
sys
sysname jieruA
# 創建vlan
vlan batch 10 20 200
# 分配Access 端口
int e0/0/1
port link-type access
port default vlan 10
# trunk
int e0/0/2
port link-type trunk
port trunk allow-pass vlan all
jieruB
sys
sysname jieruB
# 創建vlan
vlan batch 10 20 200
# 分配Access 端口
int e0/0/4
port link-type access
port default vlan 20
# trunk
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
匯聚層
huijuA
sys
sysname huijuA
# 創建vlan
vlan batch 10 20 200
# trunk
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
int e0/0/2
port link-type trunk
port trunk allow-pass vlan all
int e0/0/1
port link-type trunk
port trunk allow-pass vlan all
huijuB
sys
sysname huijuB
# 創建vlan
vlan batch 10 20 200
# trunk
int e0/0/2
port link-type trunk
port trunk allow-pass vlan all
int e0/0/1
port link-type access
port default vlan 200
核心層
sys
sysname core
# 創建vlan
vlan batch 10 20 200 800
# trunk
int g0/0/1
port link-type trunk
port trunk allow-pass vlan all
int g0/0/2
port link-type trunk
port trunk allow-pass vlan all
int g0/0/3
port link-type access
port default vlan 800
# vlan 管理 IP
int vlan 10
ip address 192.168.10.254 24
int vlan 20
ip address 192.168.20.254 24
int vlan 200
ip address 192.168.200.254 24
int vlan 800
ip address 192.168.254.1 30
# 配置dhcp(基於全局地址池的)
dhcp enable
ip pool dhcp10
dns-list 8.8.8.8
gateway-list 192.168.10.254
# 對應網段
network 192.168.10.0 mask 24
# 應用
int vlan 10
dhcp select global
ip pool dhcp20
dns-list 8.8.8.8
gateway-list 192.168.20.254
# 對應網段
network 192.168.20.0 mask 24
# 應用
int vlan 20
dhcp select global
# 配置ospf
ospf 100 router-id 1.1.1.1
area 0
network 0.0.0.0 255.255.255.255
邊界
AR1
sys
sysname AR1
# 配置ip
int g0/0/0
ip address 192.168.254.2 30
int g0/0/1
ip address 120.36.2.21 30
int s1/0/0
ip address 12.1.1.1 29
int lo 0
ip address 2.2.2.2 32
# 默認路由
ip route-static 0.0.0.0 0.0.0.0 120.36.2.22
# nat 配置
acl 3000
### 只有下面三條時,會存在一個問題,內網訪問web服務的時候,地址會被nat轉換,而無法回包,暫時解決不來
# 需要配置ipsec vpn的話,需要排除福州分公司的
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
# 這條是爲了解決上海分公司 通過本部nat訪問 外網
rule 10 permit ip source 12.1.1.0 0.0.0.255
rule 15 permit ip source 192.168.0.0 0.0.255.255
int g0/0/1
nat outbound 3000
# 端口映射,只能通過外網訪問,內網通過接口地址訪問不到。
int g0/0/1
# 這裏需要手動輸入個y
nat server protocol tcp global current-interface 80 inside 192.168.200.20 80
ospf 100 router-id 2.2.2.2
# 默認路由重分佈
default-route-advertise
area 0
network 192.168.254.0 0.0.0.3
network 2.2.2.2 0.0.0.0
# 宣告上海分公司
area 1
network 12.1.1.0 0.0.0.7
# gre 配置,這樣只有14.1.1.0/24間通信才加密,需要將其他路由轉到隧道上
int Tunnel 0/0/0
ip address 14.1.1.1 24
tunnel-protocol gre
# 這裏不要用環回接口,否則加密不了通信流量
source 120.36.2.21
destination 218.85.157.99
# 配置ipsec vpn
## 創建proposal
ipsec proposal wlgc-proposal
esp encryption-algorithm 3des
esp authentication-algorithm sha1
quit
## 創建ike
ike proposal 5
quit
ike peer spub v2
pre-shared-key cipher wlgc
ike-proposal 5
quit
## 創建 profile
ipsec profile wlgc-profile
proposal wlgc-proposal
ike-peer spub
## 在隧道上,應用profile
int Tunnel 0/0/0
ipsec profile wlgc-profile
quit
# gre 配合ospf,實現福州分部學習到總部路由
ospf 111
area 0
network 14.1.1.0 0.0.0.255
互聯網
internet
sys
sysname internet
# 配置ip
int g0/0/2
ip address 218.85.157.254 24
int g0/0/1
ip address 120.36.2.22 30
AR4
sys
sysname AR4
# 配置ip
int g0/0/0
ip address 172.16.1.254 24
int g0/0/1
ip address 218.85.157.99 24
int lo 0
ip address 10.10.10.10 32
# 靜態路由
ip route-static 0.0.0.0 0.0.0.0 218.85.157.254
# 配置ospf
ospf 100 router-id 10.10.10.10
area 0
network 218.85.157.0 0.0.0.255
network 10.10.10.10 0.0.0.0
# nat 配置
acl 3000
# 需要配置ipsec vpn的話,需要排除福州分公司的
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 10 permit ip source 172.16.0.0 0.0.255.255
int g0/0/1
nat outbound 3000
# gre 配置,這樣只有14.1.1.0/24間通信才加密,需要將其他路由轉到隧道上
int Tunnel 0/0/0
ip address 14.1.1.2 24
tunnel-protocol gre
# 這裏不要用環回接口,否則加密不了通信流量???
source 218.85.157.99
destination 120.36.2.21
# 配置ipsec vpn
## 創建proposal
ipsec proposal wlgc-proposal
esp encryption-algorithm 3des
esp authentication-algorithm sha1
quit
## 創建ike
ike proposal 5
quit
ike peer spub v2
pre-shared-key cipher wlgc
ike-proposal 5
quit
## 創建 profile
ipsec profile wlgc-profile
proposal wlgc-proposal
ike-peer spub
## 在隧道上,應用profile
int Tunnel 0/0/0
ipsec profile wlgc-profile
quit
# gre 配合ospf,實現福州分部學習到總部路由
ospf 111
area 0
network 14.1.1.0 0.0.0.255
上海分公司
AR2
sys
sysname AR2
# 配置ip
int s2/0/0
ip address 12.1.1.2 29
int g0/0/0
ip address 192.168.100.254 24
# 配置ospf
ospf 100 router-id 9.9.9.9
area 1
network 0.0.0.0 255.255.255.255
結果圖
核心層 路由表
AR2 可以通過本部上網
AR4、AR1 只有在經過隧道時,纔可以加密