一、实验拓扑:
二、实验要求:
三、命令部署:
1、路由器接口、默认路由等基本部署:
R1(config)#int f0/0
R1(config-if)#no shutdown
R1(config-if)#ip add 12.1.1.1
R1(config-if)#ip add 12.1.1.1 255.255.255.0
R1(config-if)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2(config)#int f0/0
R2(config-if)# no shutdown
R2(config-if)#ip add 12.1.1.2 255.255.255.0
R2(config)#int f1/0
R2(config-if)#no shutdown
R2(config-if)#ip add 23.1.1.2 255.255.255.0
R3(config)#int f0/0
R3(config-if)#no shutdown
R3(config-if)#ip add 23.1.1.3 255.255.255.0
R3(config)#int lo0
R3(config-if)#ip add 3.3.3.3 255.255.255.0
R3(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2
2、×××策略配置:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config)#crypto isakmp key 0 cisco address 23.1.1.3 //真机里是不需要加0/6这些数字的
配置转换集:
R1(config)#crypto ipsec transform-set ccna esp-aes esp-md5-hmac
配置IPsec Profile并调用转换集:
R1(config)#crypto ipsec profile aa
R1(ipsec-profile)#set transform-set ccna //调用转换集
配置Tunnel:
R1(config)#interface tunnel 1
R1(config-if)#tunnel source fastEthernet 0/0
R1(config-if)#tunnel destination 23.1.1.3 //注意这里有一个description,有时候会写错。
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#ip add 13.1.1.1 255.255.255.0
R1(config-if)#tunnel protection ipsec profile aa //调用IPsec Profile aa
部署动态路由协议并通告1.1.1.0 、13.1.1.0:
R1(config)#router eigrp 90
R1(config-router)#no auto-summary
R1(config-router)#network 1.1.1.0 0.0.0.255
R1(config-router)#network 13.1.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.255 //其它网段也可以通告进来
增补Loopback 1:
R1(config)#int lo1
R1(config-if)#ip add 10.1.1.1 255.255.255.0
查看验证:这里只写查看命令,其它略过
R1#show run | s crypto
R1#show ip int bri
R1#show run int tunnel 1
同理R3和R1一样:
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config)#crypto isakmp key 0 cisco address 12.1.1.1
R3(config)#crypto ipsec transform-set ccna esp-aes esp-md5-hmac
R3(config)#crypto ipsec profile aa
R3(ipsec-profile)#set transform-set ccna
R3(config)#interface tunnel 1
R3(config-if)#tunnel source fastEthernet 0/0
R3(config-if)#tunnel destination 12.1.1.1
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#ip add 13.1.1.3 255.255.255.0
R3(config-if)#tunnel protection ipsec profile aa
R3(config)#router eigrp 90
R3(config-router)#no auto-summary
R3(config-router)#network 3.3.3.0 0.0.0.255
R3(config-router)#network 13.1.1.0 0.0.0.255
验证:
R3(config-if)#
Mar 1 00:29:07.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
Mar 1 00:29:07.855: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 90: Neighbor 13.1.1.1 (Tunnel1) is up: new adjacency
测试1:
R3#ping 1.1.1.1 //通了,正常不带源3.3.3.3应该不通的
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/104/116 ms
找原因:
R3#show ip route //目前因为没有写感兴趣流,所以只要是从Tunnel出去的流量都可以通,也可以增加。
D 1.1.1.0 [90/297372416] via 13.1.1.1, 00:04:05, Tunnel1
3.0.0.0/24 is subnetted, 1 subnets
R3#show crypto engine connections active
R3#ping 1.1.1.1 repeat 50
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 12/45/132 ms
R3#show crypto engine connections active
结论:80+50=130和145差不多,说明流量通了;因为还有其它流量所以实际可能比130大一点。
R3#ping 12.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/79/132 ms
R3#show crypto engine connections active //查看活动的×××会话的基本情况
结论:145+100=245>175,大很多的;因为12.1.1.1走的是默认路由路径,不经过Tunnel 1,所以这里没有显示
同理:Ping 13.1.1.1也会有显示的
总结:路由灯一闪一闪的,说明里边是有报文在走。
