DSVPN综合实验

一.实验拓扑

二.实验要求

1，R5为ISP，，只能进行IP地址配置;其所有地址均配为公有IP地址
2，R1和R5间使用ppp的PAP认证，R5为主认证方;
R2于R5之间使用ppp的chap认证，R5为主认证方，
R3于R5之间使用HDLC封装。
3，R1/R2/R3构建一个MGRE环境，R1为中心站点;R1、R4间为点到点的GRE。
4，整个私有网络基于RIP全网可达
5，所有PC设置私有IP为源IP，可以访问R5环回。

三.实验过程

1、配置ip及环回

r1
[r1]int s 4/0/0
[r1-Serial4/0/0]ip add 15.0.0.1 24
[r1-Serial4/0/0]int g 0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[r1-GigabitEthernet0/0/0]q

r2
[r2]int s 4/0/0
[r2-Serial4/0/0]ip add 25.0.0.1 24
[r2-Serial4/0/0]int g 0/0/1
[r2-GigabitEthernet0/0/1]ip add 192.168.2.1 24
[r2-GigabitEthernet0/0/1]q

r3
[r3]int s 4/0/0
[r3-Serial4/0/0]ip add 35.0.0.1 24
[r3-Serial4/0/0]int g 0/0/1
[r3-GigabitEthernet0/0/1]ip add 192.168.3.1 24
[r3-GigabitEthernet0/0/1]q
[r3]

r4
[r4]int g0/0/0
[r4-GigabitEthernet0/0/0]ip add 45.0.0.1 24
[r4-GigabitEthernet0/0/0]int g0/0/1
[r4-GigabitEthernet0/0/1]ip add 192.168.4.1 24
[r4-GigabitEthernet0/0/1]

r5(isp)
[isp]int s 3/0/0
[isp-Serial3/0/0]ip add 15.0.0.2 24
[isp-Serial3/0/0]int s 3/0/1
[isp-Serial3/0/1]ip add 25.0.0.2 24
[isp-Serial3/0/1]int s 4/0/0
[isp-Serial4/0/0]ip add 35.0.0.2 24
[isp-Serial4/0/0]int g 0/0/0
[isp-GigabitEthernet0/0/0]ip add 45.0.0.2 24
[isp-GigabitEthernet0/0/0]int l0
[isp-LoopBack0]ip add 5.5.5.5 24
[isp-LoopBack0]q

2、私网边界路由器配一条缺省指向isp

[r1]ip route-static 0.0.0.0 0 15.0.0.2
[r2]ip route-static 0.0.0.0 0 25.0.0.2
[r3]ip route-static 0.0.0.0 0 35.0.0.2
[r4]ip route-static 0.0.0.0 0 45.0.0.2

3、r1的pap认证，r2的chap认

[isp]aaa
[isp-aaa]local-user r1 password cipher 123456
Info: Add a new user.
[isp-aaa]lo
[isp-aaa]local-user r1 se
[isp-aaa]local-user r1 service-type ppp
[isp-aaa]q
[isp]
[isp]int s 3/0/0
[isp-Serial3/0/0]ppp a
[isp-Serial3/0/0]ppp authentication-mode pap

[r1]int s 4/0/0
[r1-Serial4/0/0]ppp pap local-user r1 password cipher 123456
[r1-Serial4/0/0]

ISP创建一个用户名和密码来提供r2进行ppp的chap认证
[isp]aaa
[isp-aaa]local-user r2 password cipher 123456
Info: Add a new user.
[isp-aaa]local-user r2 service-type ppp
[isp-aaa]q
[isp]int s 3/0/1
[isp-Serial3/0/1]ppp authentication-mode chap
[isp-Serial3/0/1]

[r2]int s 4/0/0
[r2-Serial4/0/0]ppp chap user r2
[r2-Serial4/0/0]ppp chap password cipher 123456
[r2-Serial4/0/0]q
[r2]
[r2-Serial4/0/0]shutdown
[r2-Serial4/0/0]undo shutdown
等待接口重新起来之后在ping25.0.0.2

4、r3和r5之间使用HDLC封装

更改串线协议，注意r3和r5都要更改，否则协议对不上，导致失败
[r3]int s 4/0/0
[r3-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y
[isp]int s 4/0/0
[isp-Serial4/0/0]link
[isp-Serial4/0/0]link-protocol h
[isp-Serial4/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]
:y

5、搭建MGRE环境基于192.168.5.0网段，在r1上创建中心站点,开启伪广播，其他路由器当作分支站点，加入r1中心域，配置Tunnel接口的隧道协议为GRE、配置Tunnel的源地址，目的地址

r1创建虚拟接口
[r1]int t 0/0/0
[r1-Tunnel0/0/0]ip add 192.168.5.1 24
[r1-Tunnel0/0/0]
[r1-Tunnel0/0/0]

选择封装类型
[r1-Tunnel0/0/0]tun
[r1-Tunnel0/0/0]tunnel-protocol gre p2mp
[r1-Tunnel0/0/0]source 15.0.0.1

通过nhrp协议获取目标IP
[r1-Tunnel0/0/0]nhrp n
[r1-Tunnel0/0/0]nhrp network-id 100
[r1-Tunnel0/0/0]nhrp entry multicast dynamic

r2分支站点
[r2]int t 0/0/0
[r2-Tunnel0/0/0]ip add 192.168.5.2 24
[r2-Tunnel0/0/0]tunnel-protocol gre p2mp

分支允许出接口发生变化
[r2-Tunnel0/0/0]source Serial 4/0/0

加入r1中心域
[r2-Tunnel0/0/0]nhrp network-id 100
[r2-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 register

r3重复r2配置
[r3]int t 0/0/0
[r3-Tunnel0/0/0]ip add 192.168.5.3 24
[r3-Tunnel0/0/0]tunnel-protocol gre p2mp
[r3-Tunnel0/0/0]source Serial 4/0/0
[r3-Tunnel0/0/0]nhrp network-id 100
[r3-Tunnel0/0/0]nhrp entry 192.168.5.1 15.0.0.1 register

r1进行测试，r2,r3添加成功
r1,r4做点到点的GRE

[r1]int t 0/0/1
[r1-Tunnel0/0/1]ip add 192.168.6.1 24
[r1-Tunnel0/0/1]tunnel-protocol gre
[r1-Tunnel0/0/1]source 15.0.0.1
[r1-Tunnel0/0/1]destination 45.0.0.1

[r4]int t 0/0/0
[r4-Tunnel0/0/0]ip add 192.168.6.2 24
[r4-Tunnel0/0/0]tunnel-protocol gre
[r4-Tunnel0/0/0]source 45.0.0.1
[r4-Tunnel0/0/0]destination 15.0.0.1

6、r1~r4配置ripv2

r1进行宣告
[r1]rip
[r1-rip-1]v 2
[r1-rip-1]
[r1-rip-1]net
[r1-rip-1]network 192.168.1.0
[r1-rip-1]network 192.168.5.0
[r1-rip-1]network 192.168.6.0

r2进行宣告
[r2]rip
[r2-rip-1]v 2
[r2-rip-1]ne
[r2-rip-1]network 192.168.2.0
[r2-rip-1]network 192.168.5.0
[r2-rip-1]

r3进行宣告
[r3]rip
[r3-rip-1]
[r3-rip-1]v 2
[r3-rip-1]
[r3-rip-1]net
[r3-rip-1]network 192.168.5.0
[r3-rip-1]network 192.168.3.0
[r3-rip-1]

r4进行宣告
[r4]rip
[r4-rip-1]v 2
[r4-rip-1]ne
[r4-rip-1]network 192.168.4.0
[r4-rip-1]network 192.168.6.0

7、pc配地址,并且r1~r4做nat

pc端设置私有IP

在边界设备做nat
r1
[r1]acl 2000
[r1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[r1-acl-basic-2000]q
[r1]int s 4/0/0
[r1-Serial4/0/0]nat outbound 2000

r2
[r2]acl 2000
[r2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[r2-acl-basic-2000]q
[r2]int s 4/0/0
[r2-Serial4/0/0]nat outbound 2000
[r2-Serial4/0/0]

r3
[r3]acl 2000
[r3-acl-basic-2000]rule permit source 192.168.3.0 0.0.0.255
[r3-acl-basic-2000]q
[r3]int s 4/0/0
[r3-Serial4/0/0]nat outbound 2000
[r3-Serial4/0/0]q

r4
[r4]acl 2000
[r4-acl-basic-2000]rule permit source 192.168.4.0 0.0.0.255
[r4-acl-basic-2000]q
[r4]int g 0/0/0
[r4-GigabitEthernet0/0/0]nat outbound 2000