CCNP ICW實驗手冊資料

實驗一：MPLS配置

實驗環(huán)境：三臺路由器Ethernet接口相連，接口配苴如圖

要求：在三臺路由器相連的接口分別啟用MPLS,查看相應(yīng)的結(jié)果，在啟用前使其在OSPF下

互通。

步驟一：接口配置連通性，啟用OSPF路由協(xié)議

RI(config-if)ttintcO/1

Rl(config-if)#ipadd10.1.1.1255.255.255.0

RI(config-if)#noshutdown

Kl(cuurig)#inLt-0/0

Rl(config-if)ttipadd20.1.1.1255255.255.0

RI(config-if)Unosh

Rl(config)#routerospf100)啟用路由協(xié)議,發(fā)布接口

RI(config-router)ttnet10.1.1.00.D.0.255area0

RI(config-router)#net20.1.1.00.0.0.255area0

R2(config)#inteO/I

R2(config-if)ttipadd20.1.1.2255.255.255.0

R2(config-if)#nosh

R2(config-if)ttinte0/0

R2(config-if)?ipadd30.1.1.1255.255.255.0

R2(config-if)#nosh

R2(config)"routerospf100

R2(config-router)ttnet20.1.1.00.D.0.255area0

R2(config-router)?net30.1.1.00.D.0.255area0

R3(config)#inteO/1

R3(config-if)?ipadd30.1.1.2255255.255.0

R3(config-if)#nosh

R3(config-if)Ointe0/0

R3(config-if)#ipadd40.1.1.1255.255.255.0

R3(config-if)ttnosh

R3(config-if)#exit

R3(config)ttrouterospf100

R3(config-router)#net30.1.1.00.0.0.255area0

R3(config-router)#net30.1,1.00.0.0.255area0

步驟二：查看路由，并測試連通性

Rl#showiproute今查看路由表

20.0.0.0/24issubnetted,1subnets

C20.1.1.0isdirectlyconnected,Ethernet0/0

40.0.0.0/24issubnetted,1subnets

040.1.1.0[110/30]via20.I.1.2,00:00:15,Ethernet0/0

10.0.0.0/24issubnetted,1subnets

10.1.1.0isdirectlyconnected,EthernetO/1

30.0.0.0/24issubnetted,1subnets

030.1.1.0[110/20]via20.1.1.2,00:00:15,EthernetO/O

R2#showiproute

20.0.0.0/24issubnetted,1subnets

C20.1.1.0cuuneuled,EllteinelO/1

40.0.0.0/24issubnetted,1subnets

040.1.1.0[110/20]via30.I.1.2,00:00:23,Ethernet0/0

10.0.0.0/24issubnetted,1subnets

010.1.1.0[110/20]via20.L.1.1,00:00:23,EthernetO/1

30.0.0.0/24issubnetted,1subnets

C30.1.1.0isdirectlyconnected,Ethernet0/0

R3#showiprouteT查看路由表，都也學(xué)到相關(guān)路由

20.0.0.0/24issubnetted,1subnets

020.1.1.0F110/201via30.I.1.1.00:00:06.Ethernet0/1

40.0.0.0/24issubnetled,1subnets

40.1.1.0isdirectlyconnected,EthernetO/O

10.0.0.0/24issubnetted.1subnets

010.1.1.0[110/30]via30.L1.1,00:00:06,EthernetO/1

30.0.0.0/24issubnetted,1subnets

c30.1.1.0isdirectlyconnected,EthernetO/1

Raping40.1.1.19測試連通性

Typeescapesequencetoabort.

Sending5,100-bytcICMPEchosto40.1.1.1,timeoutis2seconds:

111fi

Successrateis100percent(5/5).round-tripmin/avg/max=4/4/4rrs

R3#ping10.1,1.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto,timeoutis2seconds:

Mill

Successrateis100percent(5/5):round-tripmin/avg/max=4/4/4irs

步驟三：啟用相關(guān)接口的MPLS,及快速轉(zhuǎn)發(fā)功能

Rl(config)Uipcef今啟用快速轉(zhuǎn)發(fā)功能

RI(config)#inte0/0

Rl(config-if)#mplsip)接口啟用MPLS

R2(config)ttipcef

R2(config)ttinte0/l

R2(config-if)#mp1sip

R2(config-if)#intc0/0

R2(config-if)#mp1sip

R3(config)ttipcef

R3(config)#inte0/l

R3(config-if)#mp1sip

步驟四：查看MPLS狀態(tài)

Rl#showmplsforwarding-table查看MPLS轉(zhuǎn)發(fā)表

LocalOutgoingPrefixBytestagOutgoingNextHop

tagtagorVCorTunnelIdswitchedinterface

161640.1.1.0/240El0/020.1.1.2

17Poptag30.1.1.0/240El0/020.1.1.2

R2#showmplsforwarding-table

LocalOutgoingPrefixBytestagOutgoingNextHop

tagtagorVCorTunnelIdswitchedinterface

16Poptag40.1.1.0/240EtO/O30.1.1.2

17Poptag10.1.1.0/240ElO/120.1.1.1

R3#showmplsforwarding-table

LocalOutgoingPrefixBytestagOutgoingNextHop

tagtagorVCorTunnelIdswitchedinterface

16Poptag20.1.1.0/240EtO/130.1.1.1

171710.1.1.0/210EtO/130.1.1.1

Rl#showipcefsummary今查看CEI,轉(zhuǎn)發(fā)匯總信息及標(biāo)記信息

IPCEFwithswitching(TableVersion16),flags=0x0

16routes,0reresolve,0unresolved(0old,0new),peak0

16leaves,18nodes,20896bytes,21inserts,5invalidations

0loadsharingelements,0bytes,0references

universalper-destinationloadsharingalgorithm,id86C8F0BF

3(0)CEFresets,0revisionsofexisting1caves

ResolutionTimer:Exponential(currentlyIs,peakIs)

0in-place/0abortedmodifications

refcounts:4877leaf,4864node

Tableepoch:0(16entriesatthisepoch)

AdjacencyTablehas2adjacencies

R2#showipcefsummary

IPCEFwithswitching(TableVersion17),flags=0x0

17routes,0reresolve,0unresolved(0old,0new),peak0

171eaves,18nodes,21032bytes,22inserts,5invalidations

0loadiugeleiiiuiiLsr0byles,0iefeieuces

universalper-destinationloadsharingalgorithm,idFCD3DE86

3(0)CEFresets,0revisionsofexistingleaves

ResolutionTimer:Exponential(currentlyIs,peakIs)

0in-place/0abortedmodifications

refcounts:4879leaf,4864node

Tabicepoch:0(17entriesatthisepoch)

AdjacencyTablehas4adjacencies

R3#showipcefsummary

IPCEFwithswitching(TableVersion16).flags=0x0

16routes,0reresolve,0unresolved(0old,0new),peak0

16leaves,18nodes,20896bytes,21inserts,5invalidations

0loadsharingelements,0bytes,0references

universalper-destinationloadsharingalgorithm,id86B9347C

3(0)CEFresets,0revisionsofexistingleaves

ResolutionTimer:Exponential(currentlyIs,peakIs)

0in-place/0abortedmodifications

refcounts:4877leaf,4864node

Tableepoch:0(16entriesatthisepoch)

AdjacencyTablehas2adjacencies

注：也可用showipcefdetail這條命令來查看詳細(xì)信息

Raping40.1.1.16測試連通性

Mill

R3#ping10.I.i.I

步驟五：顯示當(dāng)前配置信息

Rl#showrun

hostnameRI

ipcef

j

interfaceEthernet0/0

ipaddress20.1.L1255.255.255.D

half-duplex

tag-switchingip

interfaceEthernetO/1

ipaddress10.1.1.1255.255.255.0

half-duplex

j

routerospf100

network10.1.1.00.0.0.255areaD

network20.1.1.00.0.0.255area0

j

end

R2#showrun

hostnameR2

j

ipcef

interfaceEthernet0/0

ipaddress30.1.1.1255.255.255.?)

half-duplex

tag-switchingip

j

interfaceEthernet0/1

ipaddress20.1.1.2255.255.255.?)

half-duplex

tag-switchingip

j

routerospf100

network20.1.1.00.0.0.255areaD

network30.1.1.00.0.0.255areaD

j

end

R3#showrun

hostnameR3

!

ipcef

!

interfaceEthernet0/0

ipaddress40.1.1.1255.255.255.0

half-duplex

i

interfaceEthernet0/l

ipaddress30.1.1.2255.255.255.0

ha]f-duplex

lag-swilullingip

J

routerospf100

network30.1.1.00.0.0.255area?)

network40.1.1.00.0.0.255area0

end

實驗二：ipsecsite-to-siteVPN配置

環(huán)境：兩臺路由器串口相連，接口配置如圖

要求：用兩個LOOP口模擬VPN感興趣流來建立IPSECVPN,IKE1階段用預(yù)共享密鑰，IKE2

階段哈希穌法用sha,加密算法用DES.

/24

Loop0Loop0

1.1.1J/24/24

步驟一：接口基本配置，并測試連通性

RI(config)#ints0

Rl(config-if)#ipadd10.1.1.1255.255.255.0

RI(config-if)#clockrate64000

RL(config-if)ttnosh

RI(config)(tintloop0

RI(config-if)ttipadd1.1.1.1255.255.255.0

R2(config)#intsi

R2(config-if)#ipadd10.1.1.2255.255.255.0

R2(config-if)#nosh

R2(config)#intloop0

R2(config-if)ttipadd1.1.2.1255.255.255.0

Riffping10.1.1.2今測試連通性，再做IPSEC

11111

Successrateis100percent(5/5)round-tripmin/avg/max=28/31/32ms

R2#ping10.1.1.1

11111

Successrateis100percent(5/5)：round-tripmin/avg/max=32/32/32ms

配置二：配置IKE1和IKE2兩個階段，并應(yīng)用到接口

RI(config)ttcryptoisakmppolicy10今IKE1階段策略

RI(config-isakmp)#authenpre-share今將驗證修改為預(yù)共享

RI(config)ttcryptoisakmpkeyciscoaddress10.1.1.2今定義預(yù)共享密鑰

RI(config)Ucryptoipsectransformmysetesp-sha-hmacesp-des

分定義2階段的轉(zhuǎn)換集

RI(config)Uaccess-list100permitip1.1.1.00.0.0.2551.1.2.00.0.0.255

今定義加密感興趣流

RI(config)Ucryptomapmymap10ipsec-isakmp)定義2階段加密圖

%NOTE:Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccess1isthavebeenconfigured.

RI(config-crypto-map)ftnatchaddress1006將列表應(yīng)用到加密圖

RI(config-crypto-map)Ssetpeer10I.1.2今指定對等體

RI(config-crypto-map)#settransform-setmyset今將轉(zhuǎn)換集映射到加密圖

RI(config)#inlsO

RI(config-if)Ucryptomapmyinap今將加密圖應(yīng)用到接LI

RI(config)ttiproute1.1.2.0255.255.255.020.1.1.2

今指定隧道感興趣流的路由走向

R2(config)ttcryptoisakmppolicy10->R2與RI端策略要匹配

R2(config-isakmp)iiriuthenticationpre-share

R2(config-isakmp)#cxit

R2(config)ttcryptoisakmpkeyciscoaddress10.1.1.1今密鑰一致,地址相互指

R2(config)#cryptoipsectransform-selmysetesp-desesp-sha-hmac

R2(cfg-crypto-trans)#exitT兩端必須匹配，默認(rèn)即為lunnel模式

R2(config)#access-list102permitip1.1.2.00.0.0.2551.1.1.00.0.0.255

今感興趣流，兩端互指

R2(config)ttcryptomapmyinap10ipsec-isakmp)加密圖

%NOTE:Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccesslisthavebeenconfigured.

R2(config-crypto-map)#setpeer10!.1.1今對端的物理地址

R2(config-crypto-map)#settransform-setmyset

R2(config-crypto-map)#matchaddress102

K2(cuufig-ciyplu-iutiplSeAiI

R2(config)Uiproute1.1.1.0255.255.255.010.1.1.16加密圖感興趣流的路由

R2(config)#intsi

R2(config-if)Ucryptomapmyinap+加密映射應(yīng)用到接LI下

步驟三：測試流是否加密，直接用接口ping出

Rl#ping1.1.2.1

Successrateis100percent(5/5).round-tripmin/avg/max=32/33/36ms

R2#ping1.1.1.1

!I1II

Successrateis100percent(5/5).round-tripmin/avg/max=32/33/36ms

分別在RI和R2上查看兩個階段的關(guān)聯(lián)

Rl#showcryptoisakmpsa今沒有住何關(guān)聯(lián)

dstsrestateconn-idslot

R2#showcryptoisaknipsa

srcstateconn-idslot

Rltfshowcryptoipsecsa今沒有任何加需包，關(guān)聯(lián)也沒有建立

interface:ScrialO

Cryptomaptag:mymap,localaddr.10.1.1.1

localidem(addr/mask/prot/porl):(1.1.1.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/p?>rt):(1.1.2.0/255.255.255.0/0/0)

current_peer:10.1.1.2

PERMIT,flags={origin_is_acl}

#pktsencaps:0,#pktsencrypt:0,#pktsdigest0

#pktsdecaps:0,#pktsdecrypt:0,ttpktsverify0

即ktscompressed:0,#pktsdecompressed:0

即ktsnotcompressed:0,#pktscompr.failed:0,#pktsdecompressfailed:0

力senderrors0,ttreeverrorsD

localcryptoendpt.:10.1.1.I,remotecryptoendpl.:10.1.1.2

pathmtu1500,mediamtu1500

currentoutboundspi:0

inboundespsas:

inboundahsas:

inboundpepsas:

outboundespsas:

outboundahsas:

outboundpepsas:

R2#showcryptoipsecsa

interface:Serial1

Cryptomaptag:mymap,localaddr.10.1.1.2

localident(addr/mask/prot/porl):(I.1.2.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)

current_peer:10.1.1.1

PERMIT,flags={origin_is_acl：}

#pktsencaps:0,#pktsencrypt:0,#pktsdigest0

#pktsdecaps:0,#pktsdecrypt:0,tfpktsverify0

?pktscompressed:0.#pktsdecompressed:0

#pktsnotcompressed:0,Spktscompr.failed:0,#pktsdecompressfailed:0

加enderrors0,ttrecverrorsD

localcryptoendpt.:10.1.1.2,remotecryptoendpt.:10.1.1.1

pathmtu1500,mediamtu1500

currentoutboundspi:0

inboundespsas:

inboundahsas:

inboundpepsas:

outboundespsas:

outboundahsas:

outboundpepsas:

步驟四：用擴展ping來觸發(fā)感興趣流量

Rl#pingip

TargetIPaddress:1.1.2.1

Repeatcount[5]:10今將包調(diào)為10個，否則一個ping看不到效果

Extendedcommands[n]:y

SuuiuetiddiebbuxinluiTaue；1.1.I.1

Sending10,lOObyteICMPEchosto,timeoutis2seconds:

....!!!!!!今已經(jīng)觸發(fā)了感興趣流，并且ping通

Successrateis60percent(6/10)round-tripmin/avg/max=84/84/84ms

步驟五：再次杳看兩個階段的關(guān)聯(lián)，以及加密情況

Rl#showcryptoisasa->1KEI階段關(guān)聯(lián)已建立為快速模式

dstsrestateconn-idslot

10.1.1.210.1.1.1QM_IDLE10

Rl#showcryptoipsecsa

今IKE2階段關(guān)聯(lián)建立，并加密廣流量,隧道也已成功建立

interface:SerialO

Cryptomaptag:mymap,localaddr.10.1.1.1

localident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/porl):(1.1.2.0/255.255.255.0/0/0)

current_peer:10.1.1.2

PERMIT,flags={origin_is_acL}

#pktsencaps:6,#pktsencrypt:6,ttpktsdigest6

Spktsdccaps:6,#pktsdecrypt:6,ttpktsverify6

即ktscompressed:0,#pktsdecompressed:0

即ktsnotcompressed:0,和ktscompr.failed:0,#pktsdecompressfailed:0

力senderrors14,#recverrors0

localcryptoendpt.:10.1.1.1,remotecryptoendpt.:10.1.1.2

pathmtu1500,mediamtu1500

currentoutboundspi:84AEB2E6

inboundespsas:

spi:Ox1E44ABID(507816733)

transform:csp-dcsesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2000,flow_id:1,cryptomap:mymap

satiming:remainingkeylifetime(k/sec):(4607999/3520)

IVsize:8bytes

replaydetectionsupport:Y

inboundahsas:

inboundpepsas:

outboundespsas:

spi.0A84AEB2EG(2226011574)

transform:esp-desesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2(X)1,flow_id:2,cryptomap:mymap

satiming:remainingkeylifetime(k/sec):(4607999/3520)

IVsize:8bytes

replaydetectionsupport:Y

outboundahsas:

outboundpepsas:

R2#showcryptoisasa

(1stsrestateconn-idslot

10.1.1.210.1.1.1Q\lIDLE10

R2#showcryptoipsecsa

interface:Serial1

Cryptomaptag:mymap,localaddr.10.1.1.2

localidcnt(addr/mask/prot/port):(1.1.2.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)

current_peer:10.1.1.1

PERMIT,flags={origin_is_acl}

#pktsencaps:6,#pktsencrypt:6,ttpktsdigest6

#pktsdecaps:6,#pktsdecrypt:6,ttpktsverify6

ttpktscompressed:0.^pktsdecompressed:0

即ktsnotcompressed:0,ffpktscompr.failed:0,#pktsdecompressfailed:0

△senderrors0,#recverrors0

localcryptocndpt.:10.1.1.2,remotecryptoendpt.:10.1.1.1

pathmtu1500,mediamtu1500

currentoutboundspi:1E44ABID

inboundespsas:今進站流已經(jīng)產(chǎn)生

spi:0x84AEB2E6(2226041574)

transform:esp-desesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2000,flowid:1,cryptomap:mymap

satiming:remainingkeylifetime(k/scc):(4607999/3502)

IVsize:8bytes

replaydetectionsupport:Y

inboundahsas:

inboundpepsas:

outboundespsas:今出站流已經(jīng)產(chǎn)生

spi:0xlE44ABlD(507816733)

transform:csp-dcsesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2001,flow_id:2,cryptomap:mymap

satiming:remainingkey1ifetimc(k/sec):(4607999/3502)

IVsize:8bytes

replaydetectionsupport:Y

outboundahsas:

outboundpepsas:

配置五：查看當(dāng)前的配置

Rl#showrun

hostnameRI

!

cryptoisakmppolicy10

authenticationpre-share

cryptoisakmpkeyciscoaddress10.1.1.2

;

cryptoipsectransform-setmysetesp-desesp-sha-hmac

j

cryptomapmymap10ipsec-isakmp

setpeer10.1.1.2

settransform-setmyset

matchaddress102

?

interfaceLoopbackO

ipaddress1.1.1.1255.255.255.0

t

interfaceSerialO

ipaddress10.1.1.1255.255.255.0

clockrate64000

cryptomapmymap

iproute1.1.2.0255.255.255.010.1.1.2

access-list102permitip0.0.0.2551.1.2.00.0.0.255

!

end

R2#showrun

hostnameR2

j

cryptoisakmppolicy10

authenticationprc-sharc

cryptoisakmpkeyciscoaddressID.1.1.1

!

cryptoipsectransform-setmysetesp-desesp-sha-hmac

j

cryptomapmymap10ipsecisakmp

setpeer10.1.1.1

settransform-setmyset

matchaddress102

interfaceLoopbackO

ipaddress1.1.2.1255.255.255.0

i

interfaceSerial1

ipaddress10.1.1.2255.255.255.D

cryptomapmymap

!

iproute1.L1.0255.255.255.010.1.1.1

j

access-list102permitip1.1,2.00.0.0,2551.1.1.00.0.0.255

j

end

實驗三：GREVPN的配置

環(huán)境：三臺路由器串口相連，接口配置如圖

要求：在RI和R3之間建立GRE隧道，地址如圖

GRP實驗拓?fù)?/p>

步驟一：接口配置連通性，

RI(config)#intsO

Rl(config-if)#ipadd20.1.1.1255.255.255.0

RI(config-if)ttnosh

RL(config-if)ttinlloO

Rl(config-if)#ipadd10.1.1.1255255.255.0今虛擬私有網(wǎng)絡(luò)

Rl(config)#iproute0.0.0.00.0.0020.1.1.2)上互聯(lián)網(wǎng)的缺省路由

ISP(config)#ints01【SP路由器虛擬互聯(lián)網(wǎng)

ISP(config-if)#ipadd30.1.1.1255.255.255.0

ISP(config-if)#clra64000

ISP(config-if)#nosh

ISP(config-if)#intsi

13P<cunrig-if)#ipadd20.1.1.2253.255.255.0

ISP(config-if)#clra64000

ISP(config-if)?nosh

R3(cor)fig)#intsi

R3(config-if)#ipadd30.1.1.2255.255.255.0

R3(config-if)#nosh

R3(config-if)#intloo0

R3(config-if)#ipadd10.1.1.1255255.255.0今虛擬私有網(wǎng)絡(luò)

R3(config-if)#exit

R3(config)Uiproute0.0.0.00.0.0,030.1.1.2今上互聯(lián)網(wǎng)的缺省路由

步驟二：測試哪些可達(dá)，哪些不可達(dá)

R3#ping10.1.1.11由于ISP沒有私網(wǎng)的路由

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto10.1.1.1,timeoutis2seconds:

U.U.U

Successrateis0percent(0/5)

R3#ping20.I.1.I9合法地址是能做通訊的

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto,timeoutis2seconds:

?111r

Successrateis100percent(5/5)round-tripmin/avg/max=56/60/64ms

步驟三：實施GRE隧道技術(shù)

RI(config)ttinttunnel0進入隧道接口

Rl(config-if)#ipadd100.1.I.1255.255.255.0今指定【P地址,兩端要在一個網(wǎng)段

RI(config-if)tttunnclsourcesO指定承載隧道的源和目的接口

RI(config-if)tttunneldestinationJO.1.1.2

RI(config-if)ttnosh

Rl(config)#iproute40.1.1,0255.255.255.0LunnelO今為私有網(wǎng)絡(luò)指路由走tunnel

接口

R3(config)ttinttunnel0

R3(config-if)?ipadd100.1.1,2255.255.255.0

R3(config-if)#tunnelsourcesi互指源和H的

R3(config-if)tttunne1destination20.1.1.I

R3(config-if)#nosh

R3(config-if)#exit

R3(config)#iproute10.1.1.0255.255.255.0tunnel0今指對端的私有網(wǎng)絡(luò)

步驟四：做PING測試

Raping40.1,1.16都已PING通,證明GRE隧道已建立

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto40.1.1.1,timeoutis2seconds:

Successrateis100percent(5/5)：round-tripmin/avg/max=72/72/76ms

Raping10.1.1.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto10.1.1.1,timeoutis2seconds:

Successrateis100percent(5/5).round-tripmin/avg/max=72/72/76ms

步驟五：驗證結(jié)果

RISshowinttunnel0

TunnelOisup,lineprotocolisupftunnel接口己經(jīng)UP

HardwareisTunnel

Internetaddressis100.1.1.1/24

R3#showinttunnel0

TunnelOisup,lineprotocolisup

HardwareisTunnel

Internetaddressis100.1.1.2/24

Rl#showinttunnel0accounting->tunnel接口的統(tǒng)計信息，包的統(tǒng)計

TunnelO

ProtocolPktsInCharsInPktsOutCharsOut

IP101000101000

R3#showinttunnel0accounting

TunnelO

ProtocolPktsInCharsInPkisOutCharsOut

IP101000101000

步驟六：顯示當(dāng)前配置

Rltfshowrun

hostnameRI

!

interfaceLoopbackO

ipaddress10.1.1.1255.255.255.0

j

interfaceTunnelO

ipaddress100.1.1.1255.255.2550

tunnelsourceSerialO

tunneldestination30.1.1.2

j

interfaceSerialO

ipaddress20.1.1.1255.255.255.0

j

iproute0.0.0.00.0.0.020.1.1.2

iproute40.1.1.0255.255.255.0TunnelO

End

ISP#showrun

hostnameISP

interfaceSerialO

ipaddress30.I.1.1255.255.255.0

clockrate64000

I

interfaceSerial1

ipaddress20.1.1.2255.255.255.?)

clockrate64000

end

R3#showrun

hostnameR3

i

interfaceLoopbackO

ipaddress40.1.1.1255.255.255.0

j

interfaceTunnelO

ipaddress100.1.1,2255.255.2550

tunnelsourcesi

tunneldestination20.1.1.1

!

interfaceSerial1

ipaddress30.1.1.2255.255.255.0

i

ipioule0.0.0.00.0.0.030.1.1.2

iproute10.1.1.0255.255.255.0TunnelO

end

實驗四：靜態(tài)VS.動態(tài)CryptoMap批注［微軟中國1)：加密映射

功能:將所有必要的巖息組織在?起來構(gòu)建?個Ipsec

會話…管理和數(shù)據(jù)連接…到遠(yuǎn)端的刻等設(shè)法.

岸態(tài)的cryptomap條目的一個問題是，必須指定遠(yuǎn)程對等設(shè)缶的IP地址.如果本地或者遠(yuǎn)程

R動態(tài)獲得它們的地址信息是,會變得寸常困難.

topology

10.1.1.0/24-routerl-172.16.171.10——172.16.171.20-router2-10.1.2.0/24

Basicroute

Routerl:

iproute0.0.0.00.0.0.0172.16.171.20

Router2:

批注［微軟中國2J:在路由器上建、工了一個可用的

iproute0.0.0.00.0.0.0172.16.171.10

ISKAMP/IKE的管理連接策略

IKEPhaseIpolicy批注［微軟中國3|:打定用于設(shè)備驗證的萬法.

Routerl:批注［微軟中國41:后定使用「哪種加密算法.

cryptoisakmppolicy1

批注［微軟中國51:后定「使用的DH制仍組.

aulhenlicalionper-shared

hashIIK15批注【微軟中國外為設(shè)備驗證配置一個對稱的預(yù)共享

encryption3des密鑰.0表示后面的密鑰(cisco)不加密.6代表已經(jīng)被加

group2密.

cryptoisakmp6keyciscoaddress172.16.171.20批注【微軟中國7):適配一個密鑰.使其能夠用于多個對

等體?.

Router2:

批注I微軟中國8J:定義保護方法:然認(rèn)模式是tunnel,

cryptoisakmppolicy1

transonn-set傳輸娓定義數(shù)據(jù)流域是否被保護的一安

aullieuliualiunper-sliaied

全協(xié)議和算法/功能.對于數(shù)據(jù)SA能物成功協(xié)商,在兩臺

hashmd5

1Pe時等設(shè)備之間至少有一個匹配的傳輸集.

encr3dessc

group2批注I微軟中國9|：

cryptoisakmpkeyciscoaddress00.0.00.0.0.0csp-dcsES加密

csp-sha-hmacESP完整性校驗

IPSecPhase11policy

批注［微軟中國10)：定義被保護的濾盤

Routerl:

批注【微軟中國1"：使用ISAKMPJIKE.為vpn建立.

cryptoipsectransform-setciscoesp-dcsesp-sha-hmac

cryptomap的條目.

access-list101permitip10.1.1.00.0.0.25510.1.2.00.0.0.255批注【微軟中國12):指定了對于crypi。ACL中指定的流

卅.R應(yīng)當(dāng)和誰連接.

BialicCryploMap)

批注【微軟中國13):用戶保護去往setpeer命令中指定

cryptomapvpn10ipsec-isakmp

的對等設(shè)名的流量.

setpeer；172.16.171.20

settransform-setcisco批注［微軟中國14］:指定保護流帚的crjptoACL的名字

matchaddress]1ist101或者號碼.如果引用了不存在的cryptoACL,router將丟

棄所有的發(fā)送給他們的未保護流最

Router2:

cryptoipsectransform-setciscoesp-desesp-sha-hmac

DynamicCryptoMap|

cryptodynamic-mapdynamap10

settransform-setcisco批注［微軟中國15)：必要命令.其他命令是可選.

cryptomapvpn10ipsec-isakmpdynamicdynamap批注【微軟中國16):動態(tài)crypt。不需要應(yīng)用到路由器的