H3C网络学院路由交换第四卷实验指导书.doc

资源描述

1、实验 1 配置 GRE VPN实验任务一：GRE VPN 基本配置步骤一：搭建实验环境在 SWA 上配置 VLAN2，将接口 E1/0/2 加入 VLAN2：SWAvlan 2SWA-vlan2port Ethernet 1/0/2步骤二：检测公网连通性查看 SWA 的路由表和端口状态，确认其工作正常。SWAdisplay ip interface brief*down: administratively down(s): spoofingInterface Physical Protocol IP Address DescriptionVlan-interface1 up up 1.1.1.

2、2 Vlan-inte.Vlan-interface2 up up 2.2.2.2 Vlan-inte.SWAdisplay ip routing-tableRouting Tables: PublicDestinations : 6 Routes : 6Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop02.2.2.0/24 Direct 0 0 2.2.2.2 Vlan22.2.2.2/32 Dir

3、ect 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0也可以使用 display interface 命令。在 RTA 和 RTB 上配置公网接口互通所需的静态路由。RTAinterface GigabitEthernet0/0RTA-GigabitEthernet0/0ip address 192.168.1.1 255.255.255.0RTA-GigabitEthernet0/0interface GigabitEthernet0/

4、1RTA-GigabitEthernet0/1ip address 1.1.1.1 255.255.255.0RTA-GigabitEthernet0/1ip route-static 2.2.2.0 255.255.255.0 1.1.1.2RTBinterface GigabitEthernet0/0RTB-GigabitEthernet0/0ip address 192.168.2.1 255.255.255.0RTB-GigabitEthernet0/0interface GigabitEthernet0/1RTB-GigabitEthernet0/1ip address 2.2.2.

5、1 255.255.255.0RTB-GigabitEthernet0/1ip route-static 1.1.1.0 255.255.255.0 2.2.2.2步骤三：配置 GRE 隧道接口RTA interface Tunnel0RTA-Tunnel0 ip address 192.168.3.1 255.255.255.252RTA-Tunnel0 source 1.1.1.1RTA-Tunnel0 destination 2.2.2.1RTB interface Tunnel0RTB-Tunnel0 ip address 192.168.3.2 255.255.255.252RTB-

6、Tunnel0 source 2.2.2.1RTB-Tunnel0 destination 1.1.1.1步骤四：为私网配置静态路由RTA ip route-static 192.168.2.0 255.255.255.0 Tunnel0RTB ip route-static 192.168.1.0 255.255.255.0 Tunnel0配置时也可以用下一跳地址。步骤五：检验隧道工作状况查看 RTA 与 RTB 的路由表，可见公网、私网路由均存在于路由表中： RTBdisplay ip routing-tableRouting Tables: PublicDestinations : 10

7、 Routes : 10Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Static 60 0 2.2.2.2 GE0/12.2.2.0/24 Direct 0 0 2.2.2.1 GE0/12.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 Static 60 0 192.168.3.2 Tun0192.1

8、68.2.0/24 Direct 0 0 192.168.2.1 GE0/0192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0查看 RTA 和 RTB 的隧道接口状态，可见其使用 GRE 封装，状态为 UP：RTBdisplay interface Tunnel 0Tunnel0 current state: UPLine protocol current state: UPDescript

9、ion: Tunnel0 InterfaceThe Maximum Transmit Unit is 1476Internet Address is 192.168.3.2/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 2.2.2.1, destination 1.1.1.1Tunnel keepalive disableTunnel protocol/transport GRE/IPGRE key disabledChecksumming of GRE packets di

10、sabledOutput queue : (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0Last 300 seconds input: 15 bytes/sec, 0 packets/secLast 300 seconds output: 21 bytes/sec, 0 packets/sec133 pa

11、ckets input, 5701 bytes0 input error124 packets output, 7469 bytes0 output error在 RTA 上打开 GRE 协议调试开关用 debugging 命令检验路由器实际收发的报文，说明其地址已经改变。terminal monitorterminal debuggingdebugging gre packet在 PCA 上对 RTB 运行 ping 命令，但只发送一个 ICMP 包：C:Documents and SettingsUserping -n 1 192.168.2.1Pinging 192.168.2.1 wi

12、th 32 bytes of data:Reply from 192.168.2.1: bytes=32 time*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Tunnel0 packet:After encapsulation,Outgoing packet header 1.1.1.1-2.2.2.1(length = 84)*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Output: Gre packet has been fast-switched successfully, interface index i

13、s 0x2f0000.可见 RTA 从 Tunnel0 接口发出了一个包，源地址为 1.1.1.1，目的地址为 2.2.2.1。因为发送的包已经被 GRE 封装后在公网发送了。步骤六：清除静态路由用 undo ip route-static 命令。步骤七：为公网配置动态路由RTAospf 1RTA-ospf-1area 0.0.0.0RTA-ospf-1-area-0.0.0.0network 1.0.0.0 0.255.255.255RTBospf 1RTB-ospf-1area 0.0.0.0RTB-ospf-1-area-0.0.0.0network 2.0.0.0 0.255.255.

14、255SWAospf 1SWA-ospf-1area 0.0.0.0SWA-ospf-1-area-0.0.0.0network 1.0.0.0 0.255.255.255SWA-ospf-1-area-0.0.0.0network 2.0.0.0 0.255.255.255步骤八：为私网配置动态路由RTArip 1RTA-rip-1version 2RTA-rip-1network 192.168.1.0RTA-rip-1network 192.168.3.0RTBripRTB-rip-1version 2RTB-rip-1network 192.168.2.0RTB-rip-1networ

15、k 192.168.3.0步骤九：再次检验隧道工作状况查看 RTA 与 RTB 的路由表： display ip routing-tableRouting Tables: PublicDestinations : 10 Routes : 10Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 OSPF 10 2 2.2.2.2 GE0/12.2.2.0/24 Direct 0 0 2.2.2.1 GE0/12.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0

16、 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 RIP 100 1 192.168.3.1 Tun0192.168.2.0/24 Direct 0 0 192.168.2.1 GE0/0192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0转入下一实验任务。实验任务二：GRE VPN 隧道验证步骤

17、一：单方配置隧道验证首先在 RTA 上单方启动隧道验证：RTA-Tunnel0gre key 1234步骤二：检验隧道连通性用 ping 命令验证 PCA 与 PCB 之间的连通性。由于仅单方配置了隧道验证，此时应该无法连通。C:Documents and SettingsUserping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 192.168.2

18、.1:Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),步骤三：配置错误的隧道验证在 RTB 上也启动隧道验证，但验证值配置与 RTA 不同：RTB-Tunnel0gre key 12345步骤四：检验隧道连通性用 ping 命令验证 PCA 与 PCB 之间的连通性。由于配置的隧道验证值错误，此时应该无法连通。C:Documents and SettingsUserping 192.168.2.1Pinging 192.168.2.1 with 32 bytes of data:Request timed out.Request ti

19、med out.Request timed out.Request timed out.Ping statistics for 192.168.2.1:Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),步骤五：正确配置隧道验证在 RTB 上配置与 RTA 相同的验证值：RTB-Tunnel0gre key 1234步骤六：检验隧道连通性用 ping 命令验证 PCA 与 PCB 之间的连通性。由于配置的隧道验证正确，此时应该可以连通。C:Documents and SettingsUserping 192.168.2.1Pinging

20、192.168.2.1 with 32 bytes of data:Reply from 192.168.2.1: bytes=32 time=1ms TTL=254Reply from 192.168.2.1: bytes=32 timeterminal monitorterminal debuggingdebugging gre alldebugging tunnel all关闭 SWA 的 VLAN2 接口，模拟公网路由突然发生故障。SWA-Vlan-interface2shutdown步骤七：观察效果，检验隧道连通性在 RTA 上观察 debugging 信息。输出信息形如：*Jun

21、26 17:31:54:794 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:31:55:508 2009 RTA TUNNEL/7/debug:Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:32:55:968 2009 RTA TUNNEL/7/debug:Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:00:293 2009 RTA TU

22、NNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:05:332 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.*Jun 26 17:33:06:45 2009 RTA TUNNEL/7/debug:Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:10:369 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no c

23、hange.*Jun 26 17:33:15:408 2009 RTA TUNNEL/7/debug:Tunnel0 link state is UP, no change.%Jun 26 17:33:16:168 2009 RTA TUNNEL/4/LINK UPDOWN:Tunnel0: link status is DOWN%Jun 26 17:33:16:168 2009 RTA IFNET/4/UPDOWN:Line protocol on the interface Tunnel0 is DOWN*Jun 26 17:33:16:168 2009 RTA TUNNEL/7/debu

24、g:Tunnel0 down, because keepalive is not reached.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:Can not get tunnel ID when tunnel(index = 0x2f0000) state is down.*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:Tunnel_DelTunnInUpTunnTbl: The tunnel(0x2f0000) state is down.*Jun 26 17:33:16:169 2009 RTA TUN

25、NEL/7/debug:Before encapsulation, the packets ulLoopTimes is 0.*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:Tunnel0 down, because keepalive is not reached.*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:Tunnel0 link state is DOWN, no change.*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:Tunnel0 down, bec

26、ause keepalive is not reached.*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:Tunnel0 link state is DOWN, no change.*Jun 26 17:33:26:203 2009 RTA TUNNEL/7/debug:可见经过一段时间后，Tunnel0 接口状态变为 DOWN，根据 debugging 信息，原因是keepalive 消息丢失。关闭 debugging 开关，查看 Tunnel0 接口信息：undo debugging allAll possible debugging has b

27、een turned offdisplay interface tunnel 0Tunnel0 current state: DOWNLine protocol current state: DOWNDescription: Tunnel0 InterfaceThe Maximum Transmit Unit is 1472Internet Address is 192.168.3.1/30 PrimaryEncapsulation is TUNNEL, service-loopback-group ID not set.Tunnel source 1.1.1.1, destination 2

28、.2.2.1Tunnel keepalive enable, Period(10 s), Retries(3)Tunnel protocol/transport GRE/IPGRE key value is 1234Checksumming of GRE packets disabledOutput queue : (Urgent queuing : Size/Length/Discards) 0/100/0Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0Output queue : (FIFO queuing :

29、 Size/Length/Discards) 0/75/0Last 300 seconds input: 2 bytes/sec, 0 packets/secLast 300 seconds output: 2 bytes/sec, 0 packets/sec1115 packets input, 101679 bytes10 input error1084 packets output, 44012 bytes0 output error可见 Tunnel0 接口状态确实已经变为 DOWN。在 SWA 上重新打开 VLAN2 接口，过一段时间之后， Tunnel0 接口状态以及 PCA 与P

30、CB 之间的连通性可以恢复正常。实验 2 配置 L2TP VPN- 11 -实验 1 配置 GRE VPN .- 1 -1.1 实验内容与目标 .- 1 -1.2 实验组网图 .- 1 -1.3 实验设备与版本 .- 1 -1.4 实验过程 .- 2 -实验任务一： GRE VPN 基本配置 .- 2 -步骤一：搭建实验环境 .- 2 -步骤二：检测公网连通性 .- 2 -步骤三：配置 GRE 隧道接口 .- 3 -步骤四：为私网配置静态路由 .- 3 -步骤五：检验隧道工作状况 .- 3 -步骤六：清除静态路由 .- 5 -步骤七：为公网配置动态路由 .- 5 -步骤八：为私

31、网配置动态路由 .- 5 -步骤九：再次检验隧道工作状况 .- 5 -实验任务二： GRE VPN 隧道验证 .- 6 -步骤一：单方配置隧道验证 .- 6 -步骤二：检验隧道连通性 .- 6 -步骤三：配置错误的隧道验证 .- 6 -步骤四：检验隧道连通性 .- 6 -步骤五：正确配置隧道验证 .- 6 -步骤六：检验隧道连通性 .- 6 -实验任务三： GRE VPN 隧道 Keepalive .- 7 -步骤一：恢复静态路由配置 .- 7 -步骤二：模拟网络故障 .- 7 -步骤三：检查 RTA 上的隧道接口状态 .- 7 -步骤四：恢复网络故障 .- 8 -步骤五

32、：配置隧道 Keepalive.- 8 -步骤六：模拟网络故障 .- 8 -步骤七：观察效果，检验隧道连通性 .- 8 -1.5 实验中的命令列表 .- 10 -1.6 思考题 .- 10 -实验 2 配置 L2TP VPN- 12 -实验 2 配置 L2TP VPN实验任务一：配置独立 LAC 模式步骤一：搭建实验环境连接设备。在 SWA 上配置 VLAN2，将接口 E1/0/2 加入 VLAN2。SWAvlan 2SWA-vlan2port Ethernet 1/0/2步骤二：检测公网连通性查看 SWA 的路由表和端口状态，确认其工作正常。SWAdisplay ip interfac

33、e brief*down: administratively down(s): spoofingInterface Physical Protocol IP Address DescriptionVlan-interface1 up up 1.1.1.2 Vlan-inte.Vlan-interface2 up up 2.2.2.2 Vlan-inte.SWAdisplay ip routing-tableRouting Tables: PublicDestinations : 6 Routes : 6Destination/Mask Proto Pre Cost NextHop Interface1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop02.2.

展开阅读全文