1、H3C网络学院路由交换第四卷实验指导书实验1 配置GRE VPN实验任务一:GRE VPN基本配置步骤一:搭建实验环境在SWA上配置VLAN2,将接口E1/0/2加入VLAN2:SWAvlan 2SWA-vlan2port Ethernet 1/0/2步骤二:检测公网连通性查看SWA的路由表和端口状态,确认其工作正常。SWAdisplay ip interface brief*down: administratively down(s): spoofingInterface Physical Protocol IP Address DescriptionVlan-interface1 up u
2、p 1.1.1.2 Vlan-inte.Vlan-interface2 up up 2.2.2.2 Vlan-inte.SWAdisplay ip routing-tableRouting Tables: Public Destinations : 6 Routes : 6Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop02.2.2.0/24 Direct 0 0 2.2.2.2 Vlan22.2.2
3、.2/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0也可以使用display interface命令。在RTA和RTB上配置公网接口互通所需的静态路由。RTAinterface GigabitEthernet0/0RTA-GigabitEthernet0/0ip address 192.168.1.1 255.255.255.0RTA-GigabitEthernet0/0interface GigabitEtherne
4、t0/1RTA-GigabitEthernet0/1ip address 1.1.1.1 255.255.255.0RTA-GigabitEthernet0/1ip route-static 2.2.2.0 255.255.255.0 1.1.1.2RTBinterface GigabitEthernet0/0RTB-GigabitEthernet0/0ip address 192.168.2.1 255.255.255.0RTB-GigabitEthernet0/0interface GigabitEthernet0/1RTB-GigabitEthernet0/1ip address 2.2
5、.2.1 255.255.255.0RTB-GigabitEthernet0/1ip route-static 1.1.1.0 255.255.255.0 2.2.2.2步骤三:配置GRE隧道接口RTA interface Tunnel0RTA-Tunnel0 ip address 192.168.3.1 255.255.255.252RTA-Tunnel0 source 1.1.1.1RTA-Tunnel0 destination 2.2.2.1RTB interface Tunnel0RTB-Tunnel0 ip address 192.168.3.2 255.255.255.252RTB
6、-Tunnel0 source 2.2.2.1RTB-Tunnel0 destination 1.1.1.1步骤四:为私网配置静态路由RTA ip route-static 192.168.2.0 255.255.255.0 Tunnel0RTB ip route-static 192.168.1.0 255.255.255.0 Tunnel0配置时也可以用下一跳地址。步骤五:检验隧道工作状况查看RTA与RTB的路由表,可见公网、私网路由均存在于路由表中: RTBdisplay ip routing-tableRouting Tables: Public Destinations : 10 R
7、outes : 10Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Static 60 0 2.2.2.2 GE0/12.2.2.0/24 Direct 0 0 2.2.2.1 GE0/12.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 Static 60 0 192.168.3.2 Tun0192.168
8、.2.0/24 Direct 0 0 192.168.2.1 GE0/0192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0查看RTA和RTB的隧道接口状态,可见其使用GRE封装,状态为UP:RTBdisplay interface Tunnel 0Tunnel0 current state: UPLine protocol current state: UPDescription: Tunn
9、el0 InterfaceThe Maximum Transmit Unit is 1476Internet Address is 192.168.3.2/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 2.2.2.1, destination 1.1.1.1Tunnel keepalive disableTunnel protocol/transport GRE/IP GRE key disabled Checksumming of GRE packets disabledO
10、utput queue : (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 15 bytes/sec, 0 packets/sec Last 300 seconds output: 21 bytes/sec, 0 packets/sec 133 packet
11、s input, 5701 bytes 0 input error 124 packets output, 7469 bytes 0 output error在RTA上打开GRE协议调试开关用debugging命令检验路由器实际收发的报文,说明其地址已经改变。terminal monitorterminal debuggingdebugging gre packet在PCA上对RTB运行ping命令,但只发送一个ICMP包:C:Documents and SettingsUserping -n 1 192.168.2.1Pinging 192.168.2.1 with 32 bytes of
12、data:Reply from 192.168.2.1: bytes=32 time1ms TTL=254Ping statistics for 192.168.2.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms观察RTA上的输出信息:*Jun 26 16:15:30:443 2009 RTA GRE/7/debug: Tunnel0 packet:Af
13、ter encapsulation, Outgoing packet header 1.1.1.1-2.2.2.1(length = 84)*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Output: Gre packet has been fast-switched successfully, interface index is 0x2f0000.可见RTA从Tunnel0接口发出了一个包,源地址为1.1.1.1,目的地址为2.2.2.1。因为发送的包已经被GRE封装后在公网发送了。步骤六:清除静态路由用undo ip route-static命令。步
14、骤七:为公网配置动态路由RTAospf 1RTA-ospf-1area 0.0.0.0RTA-ospf-1-area-0.0.0.0network 1.0.0.0 0.255.255.255RTBospf 1RTB-ospf-1area 0.0.0.0RTB-ospf-1-area-0.0.0.0network 2.0.0.0 0.255.255.255SWAospf 1SWA-ospf-1area 0.0.0.0SWA-ospf-1-area-0.0.0.0network 1.0.0.0 0.255.255.255SWA-ospf-1-area-0.0.0.0network 2.0.0.0
15、0.255.255.255步骤八:为私网配置动态路由RTArip 1RTA-rip-1version 2RTA-rip-1network 192.168.1.0RTA-rip-1network 192.168.3.0RTBripRTB-rip-1version 2RTB-rip-1network 192.168.2.0RTB-rip-1network 192.168.3.0步骤九:再次检验隧道工作状况查看RTA与RTB的路由表: display ip routing-tableRouting Tables: Public Destinations : 10 Routes : 10Destina
16、tion/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 OSPF 10 2 2.2.2.2 GE0/12.2.2.0/24 Direct 0 0 2.2.2.1 GE0/12.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 RIP 100 1 192.168.3.1 Tun0192.168.2.0/24 Direct 0 0 19
17、2.168.2.1 GE0/0192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0转入下一实验任务。实验任务二:GRE VPN隧道验证步骤一:单方配置隧道验证首先在RTA上单方启动隧道验证:RTA-Tunnel0gre key 1234步骤二:检验隧道连通性用ping命令验证PCA与PCB之间的连通性。由于仅单方配置了隧道验证,此时应该无法连通。C:Documents and Settings
18、Userping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 192.168.2.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),步骤三:配置错误的隧道验证在RTB上也启动隧道验证,但验证值配置与RTA不同:RTB-Tunnel0gre key 12345步骤四:检验隧道连通性用ping
19、命令验证PCA与PCB之间的连通性。由于配置的隧道验证值错误,此时应该无法连通。C:Documents and SettingsUserping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 192.168.2.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),步骤五:正确配置隧道验证在RT
20、B上配置与RTA相同的验证值:RTB-Tunnel0gre key 1234步骤六:检验隧道连通性用ping命令验证PCA与PCB之间的连通性。由于配置的隧道验证正确,此时应该可以连通。C:Documents and SettingsUserping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Reply from 192.168.2.1: bytes=32 time=1ms TTL=254Reply from 192.168.2.1: bytes=32 time1ms TTL=254Reply from 192.168.2.1:
21、bytes=32 time1ms TTL=254Reply from 192.168.2.1: bytes=32 time1ms TTL=254Ping statistics for 192.168.2.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms注意:由于RTA和RTB上配置了RIP路由,如果隧道验证值长时间不匹配,RIP会删除来自对方的私网路由。在
22、这种情况下,配置了正确的隧道验证值后需要等待RIP重新学习路由。实验任务三:GRE VPN隧道Keepalive步骤一:恢复静态路由配置 RTAundo ripWarning : Undo RIP process? Y/N:yRTAundo ospfWarning : Undo OSPF process? Y/N:yRTAip route-static 192.168.2.0 255.255.255.0 Tunnel0 RTAip route-static 2.2.2.0 255.255.255.0 1.1.1.2RTBundo ripWarning : Undo RIP process? Y
23、/N:yRTBundo ospfWarning : Undo OSPF process? Y/N:yRTBip route-static 192.168.1.0 255.255.255.0 Tunnel0RTBip route-static 1.1.1.0 255.255.255.0 2.2.2.2步骤二:模拟网络故障 SWA-Vlan-interface2shutdown步骤三:检查RTA上的隧道接口状态在RTA上检查隧道接口状态,发现隧道接口状态仍然正常:RTAdisplay interface Tunnel 0Tunnel0 current state: UPLine protocol
24、current state: UPDescription: Tunnel0 InterfaceThe Maximum Transmit Unit is 1472Internet Address is 192.168.3.1/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 1.1.1.1, destination 2.2.2.1Tunnel keepalive disableTunnel protocol/transport GRE/IP GRE key value is 123
25、4 Checksumming of GRE packets disabledOutput queue : (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output:
26、0 bytes/sec, 0 packets/sec 1016 packets input, 100223 bytes 10 input error 981 packets output, 41128 bytes 0 output error这说明其无法了解对端变化情况。这是因为在RTA上,隧道源地址所属接口正常,隧道目的地址所需的路由仍然存在。步骤四:恢复网络故障SWA-Vlan-interface2undo shutdown步骤五:配置隧道KeepaliveRTAinterface Tunnel 0RTA-Tunnel0keepaliveRTBinterface Tunnel 0RTB-T
27、unnel0keepalive步骤六:模拟网络故障在RTA上启动debugging开关:terminal monitorterminal debuggingdebugging gre alldebugging tunnel all关闭SWA的VLAN2接口,模拟公网路由突然发生故障。SWA-Vlan-interface2shutdown步骤七:观察效果,检验隧道连通性在RTA上观察debugging信息。输出信息形如:*Jun 26 17:31:54:794 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26
28、17:31:55:508 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:32:55:968 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:00:293 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:05:332 2009 RTA TUN
29、NEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:06:45 2009 RTA TUNNEL/7/debug: Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:10:369 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:15:408 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no c
30、hange.%Jun 26 17:33:16:168 2009 RTA TUNNEL/4/LINK UPDOWN: Tunnel0: link status is DOWN%Jun 26 17:33:16:168 2009 RTA IFNET/4/UPDOWN: Line protocol on the interface Tunnel0 is DOWN*Jun 26 17:33:16:168 2009 RTA TUNNEL/7/debug:Tunnel0 down, because keepalive is not reached.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:Can not get tunnel ID when tunnel(index = 0x2f0000) state is down.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:Tunnel_DelTunnInUpTunnTbl: The tunnel(0x2f0000) state is down.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1