ImageVerifierCode 换一换
格式:DOCX , 页数:13 ,大小:35.39KB ,
资源ID:18641412      下载积分:3 金币
快捷下载
登录下载
邮箱/手机:
温馨提示:
快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。 如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝    微信支付   
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【https://www.bdocx.com/down/18641412.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录   QQ登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(IPSECVPNWord文档下载推荐.docx)为本站会员(b****5)主动上传,冰豆网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知冰豆网(发送邮件至service@bdocx.com或直接QQ联系客服),我们立即给予删除!

IPSECVPNWord文档下载推荐.docx

1、1.1.4、VPN配制R1=access-list 101 permit ip host 10.1.1.1 host 10.2.2.1crypto isakmp policy 1 authentication pre-share hash md5crypto isakmp key 0 cisco address 200.200.100.2 255.255.255.0 crypto ipsec transform-set shanghai esp-des esp-md5-hmaccrypto map vpn_to_shanghai 10 ipsec-isakmp match add 101 se

2、t peer 200.200.100.2 set transform shanghaiip route 10.2.2.0 255.255.255.0 200.200.100.2crypto map vpn_to_shanghaiR2 =access-list 101 permit ip host 10.2.2.1 host 10.1.1.1 exitcrypto isakmp key 0 cisco address 200.200.100.1 255.255.255.0 set peer 200.200.100.1ip route 10.1.1.0 255.255.255.0 200.200.

3、100.11.1.5、校验在R1上扩展ping 10.2.2.1R1#pingProtocol ip:Target IP address:Repeat count 5:Datagram size 100:Timeout in seconds 2:Extended commands n: ySource address or interface: loo 0Type of service 0:Set DF bit in IP header? no:Validate reply data?Data pattern 0xABCD:Loose, Strict, Record, Timestamp, V

4、erbosenone:Sweep range of sizes n:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1 .!Success rate is 60 percent (3/5), round-trip min/avg/max = 172/238/288 msR1#show crypto mapCrypto Map vpn_to_shanghai 10 ip

5、sec-isakmp Peer = 200.200.100.2 Extended IP access list 101 access-list 101 permit ip host 10.1.1.1 host 10.2.2.1 Current peer: 200.200.100.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets= shanghai, Interfaces using crypto map vpn_to_shanghai: Serial1/1R1#

6、show crypto ipsec sainterface: Crypto map tag: vpn_to_shanghai, local addr 200.200.100.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.2.2.1/255.255.255.255/0/0) current_peer 200.200.100.2 port 500 PERMIT, flags=origin

7、_is_acl, #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: #pkts not decompressed: 0, #pkts decompress failed: #send errors 2, #recv errors 0 local crypto endpt.

8、: 200.200.100.1, remote crypto endpt.: path mtu 1500, ip mtu 1500 current outbound spi: 0xC57F1ABD(3313441469) inbound esp sas: spi: 0x9C8542B5(2625979061) transform: esp-des esp-md5-hmac , in use settings =Tunnel, conn id: 2001, flow_id: SW:1, crypto map: vpn_to_shanghai sa timing: remaining key li

9、fetime (k/sec): (4416419/3493) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: 2002, flow_id:2, crypto map: (4416419/3492) outbound ah sas: outbound pcp sas:R1#show crypto isakmp saQOS一、描述QOS:策略设置,一般分为几个步骤第一:分类流量 1.1.1、根据IP地址分类,配制的时候使用AC

10、L访问控制列表 1.1.2、根据思科NBARnba:来分类,它可以根据七层来识别Router(config)#class-map map名Router(config-cmap)#match?access-groupAccessgroupanyAnypacketsclass-mapClassmapcosIEEE802.1Q/ISLclassofservice/userpriorityvaluesdestination-addressDestinationaddressinput-interfaceSelectaninputinterfacetomatchipIPspecificmplsMulti

11、ProtocolLabelSwitchingnotNegatethismatchresultprotocol /NBARqos-groupQos-groupsource-addressSource第二:标记流量(marking) 标记可以基于二层ipprecedenc(IP优先级)也可以基于三层DSCP来标记识别的流量一般在标记的时候分为几大块:语音流、视频流、重要业务流、其它业务流分为从07这么几个级别7和6保留0也保留级别流量种类dscp标记 实例5 语音 ef voip4 流媒体 af4x视频会议等3 业务流量 af3xERP、SQL等办公系统2传统流量 af2x mail、ftp、we

12、b等1 垃圾流量 af1x 抢占带宽的流量例:bt,迅雷,ppstream等注:x代表(1-9)是同一个级别内在分类设置policy-map名称 class-mapsetdscpDSCP setprecedencePRECEDENCECOS设置标记第三:设置策略在policy-map下,匹配class-map后Kbps|percentPERCENTbc定义优先级流量的带宽以及突发流量bandwidth定义保留带宽random-detect启用WREDpoliceCIRBCBEconform-actionactionexceed-actionviolated-actionaction使用令牌桶限

13、速queue-limitPACKETS定义队列中数据报的最大个数service-policypolicy-name调用其它的策略进行嵌套shapeaverage|peakBCBE整形drop丢弃第四:在接口上应用Router(config-if)#service-policyinput|outputpolicy_map名字 input设置在进口上 output设置在出口上如果对QOS不太懂建议看 是一个哥儿们写的笔记很不错二、拓扑图中,COM路由器接内网,ISP路由器是模拟的外网,R2属于边界路由器三、实验说明我们在R2的s1/0和s1/1口上配制接口带宽为 16Kbit/s,然后在s1/0即

14、进口上做标记,标记为,满足条件打20的标记,超出的打10的标记。在s1/1出口上做策略对于打了10标记的流量,做相应的drop四、配制基本配制R1:interface Serial1/1 ip address 10.1.1.2 255.255.255.0 no ship route 20.1.1.0 255.255.255.0 10.1.1.1R2:access-list 100 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.25516000为带宽限制,2000为BC,3000为BEclass-map in-put match access-group

15、 100policy-map in-put class in-put police 16000 2000 3000 conform-action set-dscp-transmit 20 exceed-action set-dscp-transmit 10class-map out-put对于超出的流量做dropmatch ip dscp 10policy-map out-put class out-put police 8000 1500 3000 conform-action transmit exceed-action drop bandwidth 16 ip address 10.1.

16、1.1 255.255.255.0 clock rate 64000 service-policy input in-put ip address 20.1.1.1 255.255.255.0 service-policy output out-putR3:interface Serial1/0 ip address 20.1.1.2 255.255.255.0ip route 10.1.1.0 255.255.255.0 20.1.1.1验证R1#ping ip 20.1.1.2 10 2000Sending 10, 2000-byte ICMP Echos to 20.1.1.2, tim

17、eout is 2 seconds:.!Success rate is 60 percent (6/10), round-trip min/avg/max = 204/457/596 msR2#show policy-map Policy Map out-put Class out-put police cir 8000 bc 1500 be 3000 conform-action transmit exceed-action drop Policy Map in-put Class in-put police cir 16000 bc 2000 be 3000 conform-action

18、set-dscp-transmit af22 exceed-action set-dscp-transmit af11从show policy-map我们就可以知道,我们先前设置的police 16000 2000 3000 conform-action set-dscp-transmit 20 exceed-action set-dscp-transmit 10police 8000 1500 3000 conform-action transmit exceed-action drop语名的意义 16000是CAR承诺接入速率 其中bc是令牌桶 be是当信令在bc放满后放到be中R2#sh

19、ow policy-map int s1/0 Serial1/0 Class-map: in-put (match-all) 405 packets, 460260 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: access-group 100 police: cir 16000 bps, bc 2000 bytes conformed 175 packets, 137072 bytes; actions: set-dscp-transmit af22 exceeded 230 packets, 323188 byte

20、s; set-dscp-transmit af11 conformed 1000 bps, exceed 0 bps class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps any R2#show policy-map int s1/1 Serial1/1 out-put (match-all) 165 packets, 231820 bytes ip dscp af11 (10) cir 8000 bps, bc 1500 bytes conformed 88 packets, 117892 bytes; transmit exceeded 77 packets, 113928 bytes; drop conformed 0 bps, exceed 0 bps 261 packets, 122786 bytes

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1