实验拓扑:
实验要求:
1、R5为ISP,只能进行IP地址配置,其所有地址均配为公有Ip地址;
2、R1和R5间使用PPP的PAP认证,R5为主认证方;
R2与R5之间使用ppp的cHAP认证,R5为主认证方;
R3与R5之间使用HDLC封装;
3、R1、R2、R3构建一个MGRE环境,R1为中心站点,R1、R4间为点到点的GRE;
4、整个私有网络基本RIP全网可达;
5、所有Pc设置私有IP为源IP,可以访问R5环回。
实验思路:
- 给PC和路由器根据给出网段配置IP地址,R5的环回;
- 配置缺省路由;
- R1yuR5之间配置ppp,R5进入aaa作为主认证方进行配置,用户名wangdaye,密码wdy12345,R5进入接口开启PAP服务,R1也进入接口开启服务;
- R2与R5之间进行同样的操作,用户zhangdaye,密码zdy12345,接口开启CHAP服务;
- R3、R5进接口,开启HDLC协议;
- 搭建MGRE VPN虚拟隧道,配置Tunnel 0/0/0接口并配置IP;R1作为中心站点,R2、R3、作为分支站点,中心IP地址固定,分支站点写出接口,中心站点设置伪广播,分支到中心注册;设置NHRP的工作id:100;
- R1、R4配置点到点的GRE,Tunnel为0/0/1
- 配置RIP使全网可达
- R1开启伪广播,关闭RIP水平分割,使其他分支学习到分站之间的条目
- 创建acl放通内网流量,使内网能访问外网
实验步骤:
1.给PC和路由器配置IP地址
PC1:192.168.1.1 24
PC2:192.168.2.1 24
PC3:192.168.3.1 24
PC4:192.168.4.1 24
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-Serial4/0/0]ip add 15.1.1.1 24
[R2-GigabitEthernet0/0/0]ip add 192.168.2.254 24
[R2-Serial4/0/0]ip add 25.1.1.2 24
[R3-GigabitEthernet0/0/0]ip add 192.168.3.254 24
[R3-Serial4/0/0]ip add 35.1.1.3 24
[R4-GigabitEthernet0/0/0]ip add 45.1.1.4 24
[R4-GigabitEthernet0/0/1]ip add 192.168.4.254 24
[R5-GigabitEthernet0/0/0]ip add 45.1.1.5 24
[R5-Serial4/0/0]ip add 35.1.1.5 24
[R5-Serial4/0/1]ip add 15.1.1.5 24
[R5-Serial3/0/1]ip add 25.1.1.5 24
[R5]int l0
[R5-LoopBack0]ip add 5.5.5.5 24
2.在出口配置缺省路由,指向公网路由器R5,保证公网通
[R1]ip route-static 0.0.0.0 0 15.1.1.5
[R2]ip route-static 0.0.0.0 0 25.1.1.5
[R3]ip route-static 0.0.0.0 0 35.1.1.5
[R4]ip route-static 0.0.0.0 0 45.1.1.5
3、R1和R5间使用PPP的PAP认证,R5为主认证方
R5:
[R5]aaa
[R5-aaa]local-user wangdaye password cipher wdy12345
Info: Add a new user.
[R5-aaa]local-user wangdaye service-type ppp
[R5-aaa]q
[R5]int s 4/0/1
[R5-Serial4/0/1]ppp authentication-mode pap
[R5-Serial4/0/1]q
R1:
[R1]int s 4/0/0
[R1-Serial4/0/0]ppp pap local-user wangdaye password cipher wdy12345
[R1-Serial4/0/0]q
4.R2和R5间使用PPP的CHAP认证,R5为主认证方
R5:
[R5]aaa
[R5-aaa]local-user zhangdaye password cipher zdy12345
Info: Add a new user.
[R5-aaa]local-user zhangdaye service-type ppp
[R5-aaa]q
[R5]int s 3/0/1
[R5-Serial3/0/1]ppp authentication-mode chap
[R5-Serial3/0/1]q
R2:
[R2]int s 4/0/0
[R2-Serial4/0/0]ppp chap user zhangdaye
[R2-Serial4/0/0]ppp chap password cipher zdy12345
5. R3与R5之间使用HDLC封装
R3:
[R3]int s 4/0/0
[R3-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y
R5:
[R5]int s 4/0/0
[R5-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y
测试:
6.搭建MGRE VPN虚拟隧道;R1作为中心站点,R2、R3、R4作为分支站点;R2、R3到R1注册
R1(中心站点):
[R1]int t
[R1]int Tunnel 0/0/0
[R1-Tunnel0/0/0]ip add 10.1.2.1 24
[R1-Tunnel0/0/0]tunnel-protocol gre p2mp
[R1-Tunnel0/0/0]source 15.1.1.1
Mar 29 2024 18:53:31-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface Tunnel0/0/0 has entered the UP state.
[R1-Tunnel0/0/0]nhrp network-id 100
R2:
[R2]int t
[R2]int Tunnel 0/0/0
[R2-Tunnel0/0/0]ip add 10.1.2.2 24
[R2-Tunnel0/0/0]tunnel-protocol gre p2mp
[R2-Tunnel0/0/0]source Serial 4/0/0
Mar 29 2024 18:56:35-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface Tunnel0/0/0 has entered the UP state.
[R2-Tunnel0/0/0]nhrp network-id 100
[R2-Tunnel0/0/0]nh
[R2-Tunnel0/0/0]nhrp en
[R2-Tunnel0/0/0]nhrp entry 10.1.2.1 15.1.1.1 re
[R2-Tunnel0/0/0]nhrp entry 10.1.2.1 15.1.1.1 register
R3:
[R3]int t
[R3]int Tunnel 0/0/0
[R3-Tunnel0/0/0]ip add 10.1.2.3 24
[R3-Tunnel0/0/0]tunnel-protocol gre p2mp
[R3-Tunnel0/0/0]source Serial 4/0/0
Mar 29 2024 18:58:56-08:00 R3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface Tunnel0/0/0 has entered the UP state.
[R3-Tunnel0/0/0]nhrp network-id 100
[R3-Tunnel0/0/0]nhrp entry 10.1.2.1 15.1.1.1 register
7、R1、R4配置点到点的GRE,Tunnel为0/0/1
R1:
[R1]int Tunnel 0/0/1
[R1-Tunnel0/0/1]ip add 10.1.1.1 24
[R1-Tunnel0/0/1]tu
[R1-Tunnel0/0/1]tunnel-protocol g
[R1-Tunnel0/0/1]tunnel-protocol gre
[R1-Tunnel0/0/1]s
[R1-Tunnel0/0/1]so
[R1-Tunnel0/0/1]source 15.1.1.1
[R1-Tunnel0/0/1]dest
[R1-Tunnel0/0/1]destination 45.1.1.4
Mar 30 2024 17:41:43-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface Tunnel0/0/1 has entered the UP state.
R4:
[R4]int Tunnel 0/0/1
[R4-Tunnel0/0/1]ip add 10.1.1.4 24
[R4-Tunnel0/0/1]tu
[R4-Tunnel0/0/1]tunnel-protocol g
[R4-Tunnel0/0/1]tunnel-protocol gre
[R4-Tunnel0/0/1]so
[R4-Tunnel0/0/1]source 45.1.1.4
[R4-Tunnel0/0/1]dest
[R4-Tunnel0/0/1]destination 15.1.1.1
Mar 30 2024 17:45:58-08:00 R4 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface Tunnel0/0/1 has entered the UP state.
8.配置RIP使全网可达
R1:
[R1]rip 1
[R1-rip-1]v 2
[R1-rip-1]undo summary
[R1-rip-1]network 192.168.1.0
[R1-rip-1]network 10.1.2.0
Error: The network address is invalid, and the specified address must be major-net address without any subnets.
[R1-rip-1]network 10.0.0.0
R2:
[R2]rip 1
[R2-rip-1]v 2
[R2-rip-1]undo summary
[R2-rip-1]network 192.168.2.0
[R2-rip-1]network 10.0.0.0
[R2-rip-1]q
R3:
[R3]rip 1
[R3-rip-1]v 2
[R3-rip-1]undo summary
[R3-rip-1]network 192.168.3.0
[R3-rip-1]network 10.0.0.0
[R3-rip-1]q
R4:
[R4]rip 1
[R4-rip-1]v 2
[R4-rip-1]undo summary
[R4-rip-1]network 192.168.4.0
[R4-rip-1]network 10.0.0.0
[R4-rip-1]q
9.R1开启伪广播,关闭RIP水平分割,使其他分支学习到分站之间的条目
R1:
[R1]int Tunnel 0/0/0
[R1-Tunnel0/0/0]nhrp entry multicast dynamic //开启伪广播
[R1-Tunnel0/0/0]undo rip split-horizon
R2:
[R2]int Tunnel 0/0/0
[R2-Tunnel0/0/0]undo rip s
[R2-Tunnel0/0/0]undo rip split-horizon
R3:
[R3]int t
[R3]int Tunnel 0/0/0
[R3-Tunnel0/0/0]undo rip s
[R3-Tunnel0/0/0]undo rip split-horizon
[R3-Tunnel0/0/0]q
检查rip表:
R1:
R2:
R3:
R4:
10.使用NAT技术创建acl放通内网流量,使内网能访问外网
R1:
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R1-acl-basic-2000]q
[R1]int s 4/0/0
[R1-Serial4/0/0]nat outbound 2000
[R1-Serial4/0/0]
R2:
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[R2-acl-basic-2000]q
[R2]int s 4/0/0
[R2-Serial4/0/0]nat outbound 2000
R3:
[R3]acl 2000
[R3-acl-basic-2000]rule permit source 192.168.3.0 0.0.0.255
[R3-acl-basic-2000]q
[R3]int s 4/0/0
[R3-Serial4/0/0]nat outbound 2000
R4:
[R4]acl 2000
[R4-acl-basic-2000]rule permit source 192.168.4.0 0.0.0.255
[R4-acl-basic-2000]q
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]nat outbound 2000
11.ping测试
