重温IPsec隧道❤️
Posted 新网工李白
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了重温IPsec隧道❤️相关的知识,希望对你有一定的参考价值。
🐄拓扑图
🐄实验环境
该拓扑图分为四个部分最左边位总部Tiger HQ,中间的为ISP,右上角为分部Branch1,右下角为分部Branch2。总部和分部的边界设备用的是型号为USG 6000V的防火墙,都分别连接运营商的PE设备。总部内有vlan10和20,主机A和B属于vlan10,主机C和D属于vlan20。
🐄需求
-
各部分内网主机之间能够互相联通。
-
所有总部、分部内网主机要通过边界防火墙能够访问Internet。
-
总部的主机可以访问两个分部的主机,两个分部的主机也能访问总部的主机。
🐄具体配置
总部部分
🐖SW1
[SW1]int lo0
[SW1-LoopBack0]ip add 10.1.11.11 32
[SW1-LoopBack0]quit
[SW1]vlan batch 10 20 //创建vlan
[SW1]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/1]quit
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/2]quit
[SW1]Int eth-trunk 12
[SW1-Eth-Trunk12]trunk port g0/0/23 to 0/0/24
[SW1-Eth-Trunk12]port link-type trunk
[SW1-Eth-Trunk12]port trunk allow-pass vlan all
[SW1]sto mode mstp
[SW1]stp region-configuration
[SW1-mst-]stp region-name Tigerlab
[SW1-mst-region]revision-level 1256
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]active region-configuration
[SW1]stp instance 10 root primary
[SW1]stp instance 20 root second
[SW1]int vlan 10
[SW1-vlanif10]ip add 10.1.10.11 24
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]ip add 10.1.20.11 24
[SW1-vlanif20]quit
[SW1]int vlan 10
[SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW1-vlanif10]vrrp vrid 10 priority 105
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW1-vlanif20]quit
[SW1]vlan 111
[SW1-vlanif111]quit
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 111
[SW1-GigabitEthernet0/0/3]stp egded-port enable
[SW1-GigabitEthernet0/0/3]quit
[SW1]stp bpdu-protection
[SW1]int vlan 111
[SW1-vlanif111]ip add 10.1.111.11 24
[SW1-vlanif111]quit
[SW1]ospf 10 router-id10.1.11.11
[SW1-ospf-10]area 0
[SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0
检查stp的配置结果,display stp instance 10,可以看到vlan10是主根
🐖SW2
[SW2]int lo0
[SW2-LoopBack0]ip add 10.1.12.12 32
[SW2-LoopBack0]quit
[SW2]vlan batch 10 20
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/1]quit
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]quit
[SW2]int eth-trunk 12
[SW2-Eth-Trunk12]trunk port g0/0/23 to 0/0/24
[SW2-Eth-Trunk12]port link-type trunk
[SW2-Eth-Trunk12]port trunk allow-pass vlan all
[SW2]sto mode mstp
[SW2]stp region-configuration
[SW2-mst-]stp region-name Tigerlab
[SW2-mst-region]revision-level 1256
[SW2-mst-region]instance 10 vlan 10
[SW2-mst-region]instance 20 vlan 20
[SW2-mst-region]active region-configuration
[SW2]stp instance 20 root primary
[SW2]stp instance 10 root second
[SW2]int vlan 10
[SW2-vlanif10]ip add 10.1.20.12 24
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]ip add 10.1.20.12 24
[SW2-vlanif20]quit
[SW2]int vlan 10
[SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW2-vlanif20]vrrp vrid 20 priority 105
[SW2-vlanif20]quit
[SW2]vlan 112
[SW2-vlanif112]quit
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type access
[SW2-GigabitEthernet0/0/3]port default vlan 112
[SW2-GigabitEthernet0/0/3]stp egded-port enable
[SW2-GigabitEthernet0/0/3]quit
[SW2]stp bpdu-protection
[SW2]int vlan 112
[SW2-vlanif112]ip add 10.1.112.12 24
[SW2-vlanif112]quit
[SW2]ospf 10 router-id10.1.12.12
[SW2-ospf-10]area 0
[SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0
在SW1上,接下来验证一下端口的vlan情况,display port vlan
在SW1上检查一下vrrp的配置情况:display vrrp brief
🐖SW3
[SW3]int lo0
[SW3-LoopBack0]ip add 10.2.13.13 32
[SW3-LoopBack0]quit
[SW3]vlan batch 30 40
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]stp edged-port enable
[SW3-GigabitEthernet0/0/1]quit
[SW3]int g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 30
[SW3-GigabitEthernet0/0/2]stp edged-port enable
[SW3-GigabitEthernet0/0/2]quit
[SW3]int g0/0/3
[SW3-GigabitEthernet0/0/3]port link-type access
[SW3-GigabitEthernet0/0/3]port default vlan 40
[SW3-GigabitEthernet0/0/3]stp edged-port enable
[SW3-GigabitEthernet0/0/3]quit
[SW3]int g0/0/4
[SW3-GigabitEthernet0/0/4]port link-type access
[SW3-GigabitEthernet0/0/4]port default vlan 40
[SW3-GigabitEthernet0/0/4]stp edged-port enable
[SW3-GigabitEthernet0/0/4]quit
[SW3]stp bpdu-protection
[SW3]vlan 132
[SW3-vlanif112]quit
[SW3]int g0/0/24
[SW3-GigabitEthernet0/0/24]port link-type access
[SW3-GigabitEthernet0/0/24]port default vlan 132
[SW3-GigabitEthernet0/0/24]stp egded-port enable
[SW3-GigabitEthernet0/0/24]quit
[SW3]int vlan 132
[SW3-vlanif132]ip add 10.2.132.13 24
[SW3-vlanif132]quit
[SW3]int vlan 30
[SW3-vlanif30]ip add 10.2.30.254 24
[SW3-vlanif30]quit
[SW3]int vlan 40
[SW3-vlanif40]ip add 10.2.40.254 24
[SW3-vlanif40]quit
[SW3]ospf 10 router-id10.2.13.13
[SW3-ospf-10]area 0
[SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0
🐖SW4
[SW4]int lo0
[SW4-LoopBack0]ip add 10.3.14.14 32
[SW4-LoopBack0]quit
[SW4]vlan batch 50
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 50
[SW4-GigabitEthernet0/0/1]stp edged-port enable
[SW4-GigabitEthernet0/0/1]quit
[SW4]int g0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4-GigabitEthernet0/0/2]quit
[SW4]int g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0以上是关于重温IPsec隧道❤️的主要内容,如果未能解决你的问题,请参考以下文章