實(shí)驗(yàn)任務(wù)一：GRE VPN基本配置

步驟一：搭建實(shí)驗(yàn)環(huán)境

在SWA上配置VLAN2，將接口E1/0/2加入VLAN2：

[SWA]vlan 2

[SWA-vlan2]port Ethernet 1/0/2

步驟二：檢測(cè)公網(wǎng)連通性

查看SWA的路由表和端口狀態(tài)，確認(rèn)其工作正常。

[SWA]display ip interface brief

*down: administratively down

(s): spoofing

Interface                     Physical Protocol IP Address      Description

Vlan-interface1               up       up       1.1.1.2         Vlan-inte...

Vlan-interface2               up       up       2.2.2.2         Vlan-inte...

 

[SWA]display ip routing-table

Routing Tables: Public

        Destinations : 6        Routes : 6

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

 

1.1.1.0/24          Direct 0    0            1.1.1.2         Vlan1

1.1.1.2/32          Direct 0    0            127.0.0.1       InLoop0

2.2.2.0/24          Direct 0    0            2.2.2.2         Vlan2

2.2.2.2/32          Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

也可以使用display interface命令。

在RTA和RTB上配置公網(wǎng)接口互通所需的靜態(tài)路由。

[RTA]interface GigabitEthernet0/0

[RTA-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0

[RTA-GigabitEthernet0/0]interface GigabitEthernet0/1

[RTA-GigabitEthernet0/1]ip address 1.1.1.1 255.255.255.0

[RTA-GigabitEthernet0/1]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2

 

[RTB]interface GigabitEthernet0/0

[RTB-GigabitEthernet0/0]ip address 192.168.2.1 255.255.255.0

[RTB-GigabitEthernet0/0]interface GigabitEthernet0/1

[RTB-GigabitEthernet0/1]ip address 2.2.2.1 255.255.255.0

[RTB-GigabitEthernet0/1]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2

步驟三：配置GRE隧道接口

[RTA] interface Tunnel0

[RTA-Tunnel0] ip address 192.168.3.1 255.255.255.252

[RTA-Tunnel0] source 1.1.1.1

[RTA-Tunnel0] destination 2.2.2.1

 

[RTB] interface Tunnel0

[RTB-Tunnel0] ip address 192.168.3.2 255.255.255.252

[RTB-Tunnel0] source 2.2.2.1

[RTB-Tunnel0] destination 1.1.1.1

步驟四：為私網(wǎng)配置靜態(tài)路由

[RTA] ip route-static 192.168.2.0 255.255.255.0 Tunnel0

 

[RTB] ip route-static 192.168.1.0 255.255.255.0 Tunnel0

 

配置時(shí)也可以用下一跳地址。

步驟五：檢驗(yàn)隧道工作狀況

查看RTA與RTB的路由表，可見(jiàn)公網(wǎng)、私網(wǎng)路由均存在于路由表中：

[RTB]display ip routing-table

Routing Tables: Public

        Destinations : 10       Routes : 10

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

 

1.1.1.0/24          Static 60   0            2.2.2.2         GE0/1

2.2.2.0/24          Direct 0    0            2.2.2.1         GE0/1

2.2.2.1/32          Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

192.168.1.0/24      Static 60   0            192.168.3.2     Tun0

192.168.2.0/24      Direct 0    0            192.168.2.1     GE0/0

192.168.2.1/32      Direct 0    0            127.0.0.1       InLoop0

192.168.3.0/30      Direct 0    0            192.168.3.2     Tun0

192.168.3.2/32      Direct 0    0            127.0.0.1       InLoop0

查看RTA和RTB的隧道接口狀態(tài)，可見(jiàn)其使用GRE封裝，狀態(tài)為UP：

[RTB]display interface Tunnel 0

Tunnel0 current state: UP

Line protocol current state: UP

Description: Tunnel0 Interface

The Maximum Transmit Unit is 1476

Internet Address is 192.168.3.2/30 Primary

Encapsulation is TUNNEL, service-loopback-group ID not set.

Tunnel source 2.2.2.1, destination 1.1.1.1

Tunnel keepalive disable

Tunnel protocol/transport GRE/IP

    GRE key disabled

    Checksumming of GRE packets disabled

Output queue : (Urgent queuing : Size/Length/Discards)  0/100/0

Output queue : (Protocol queuing : Size/Length/Discards)  0/500/0

Output queue : (FIFO queuing : Size/Length/Discards)  0/75/0

    Last 300 seconds input:  15 bytes/sec, 0 packets/sec

    Last 300 seconds output:  21 bytes/sec, 0 packets/sec

    133 packets input,  5701 bytes

    0 input error

    124 packets output,  7469 bytes

    0 output error

在RTA上打開(kāi)GRE協(xié)議調(diào)試開(kāi)關(guān)用debugging命令檢驗(yàn)路由器實(shí)際收發(fā)的報(bào)文，說(shuō)明其地址已經(jīng)改變。

<RTA>terminal monitor

<RTA>terminal debugging

<RTA>debugging gre packet

在PCA上對(duì)RTB運(yùn)行ping命令，但只發(fā)送一個(gè)ICMP包：

C:\Documents and Settings\User>ping -n 1 192.168.2.1

 

Pinging 192.168.2.1 with 32 bytes of data:

 

Reply from 192.168.2.1: bytes=32 time<1ms TTL=254

 

Ping statistics for 192.168.2.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

觀察RTA上的輸出信息：

<RTA>

*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:

 Tunnel0 packet:After encapsulation,

     Outgoing packet header 1.1.1.1->2.2.2.1(length = 84)

*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Output: Gre packet has been fast-switc

hed successfully, interface index is 0x2f0000.

可見(jiàn)RTA從Tunnel0接口發(fā)出了一個(gè)包，源地址為1.1.1.1，目的地址為2.2.2.1。因?yàn)榘l(fā)送的包已經(jīng)被GRE封裝后在公網(wǎng)發(fā)送了。

步驟六：清除靜態(tài)路由

用undo ip route-static命令。

步驟七：為公網(wǎng)配置動(dòng)態(tài)路由

[RTA]ospf 1

[RTA-ospf-1]area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255

 

[RTB]ospf 1

[RTB-ospf-1]area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255

 

[SWA]ospf 1

[SWA-ospf-1]area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255

[SWA-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255

步驟八：為私網(wǎng)配置動(dòng)態(tài)路由

[RTA]rip 1

[RTA-rip-1]version 2

[RTA-rip-1]network 192.168.1.0

[RTA-rip-1]network 192.168.3.0

 

[RTB]rip

[RTB-rip-1]version 2

[RTB-rip-1]network 192.168.2.0

[RTB-rip-1]network 192.168.3.0

步驟九：再次檢驗(yàn)隧道工作狀況

查看RTA與RTB的路由表：

<RTB>display ip routing-table

Routing Tables: Public

        Destinations : 10       Routes : 10

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

 

1.1.1.0/24          OSPF   10   2            2.2.2.2         GE0/1

2.2.2.0/24          Direct 0    0            2.2.2.1         GE0/1

2.2.2.1/32          Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

192.168.1.0/24      RIP    100  1            192.168.3.1     Tun0

192.168.2.0/24      Direct 0    0            192.168.2.1     GE0/0

192.168.2.1/32      Direct 0    0            127.0.0.1       InLoop0

192.168.3.0/30      Direct 0    0            192.168.3.2     Tun0

192.168.3.2/32      Direct 0    0            127.0.0.1       InLoop0

轉(zhuǎn)入下一實(shí)驗(yàn)任務(wù)。

實(shí)驗(yàn)任務(wù)二：GRE VPN隧道驗(yàn)證

步驟一：單方配置隧道驗(yàn)證

首先在RTA上單方啟動(dòng)隧道驗(yàn)證：

[RTA-Tunnel0]gre key 1234

步驟二：檢驗(yàn)隧道連通性

用ping命令驗(yàn)證PCA與PCB之間的連通性。由于僅單方配置了隧道驗(yàn)證，此時(shí)應(yīng)該無(wú)法連通。

C:\Documents and Settings\User>ping 192.168.2.1

 

Pinging 192.168.2.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 192.168.2.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

步驟三：配置錯(cuò)誤的隧道驗(yàn)證

在RTB上也啟動(dòng)隧道驗(yàn)證，但驗(yàn)證值配置與RTA不同：

[RTB-Tunnel0]gre key 12345

步驟四：檢驗(yàn)隧道連通性

用ping命令驗(yàn)證PCA與PCB之間的連通性。由于配置的隧道驗(yàn)證值錯(cuò)誤，此時(shí)應(yīng)該無(wú)法連通。

C:\Documents and Settings\User>ping 192.168.2.1

 

Pinging 192.168.2.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 192.168.2.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

步驟五：正確配置隧道驗(yàn)證

在RTB上配置與RTA相同的驗(yàn)證值：

[RTB-Tunnel0]gre key 1234

步驟六：檢驗(yàn)隧道連通性

用ping命令驗(yàn)證PCA與PCB之間的連通性。由于配置的隧道驗(yàn)證正確，此時(shí)應(yīng)該可以連通。

C:\Documents and Settings\User>ping 192.168.2.1

 

Pinging 192.168.2.1 with 32 bytes of data:

 

Reply from 192.168.2.1: bytes=32 time=1ms TTL=254

Reply from 192.168.2.1: bytes=32 time<1ms TTL=254

Reply from 192.168.2.1: bytes=32 time<1ms TTL=254

Reply from 192.168.2.1: bytes=32 time<1ms TTL=254

 

Ping statistics for 192.168.2.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

實(shí)驗(yàn)任務(wù)三：GRE VPN隧道Keepalive

步驟一：恢復(fù)靜態(tài)路由配置

 [RTA]undo rip

Warning : Undo RIP process? [Y/N]:y

[RTA]undo ospf

Warning : Undo OSPF process? [Y/N]:y

[RTA]ip route-static 192.168.2.0 255.255.255.0 Tunnel0

[RTA]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2

 

[RTB]undo rip

Warning : Undo RIP process? [Y/N]:y

[RTB]undo ospf

Warning : Undo OSPF process? [Y/N]:y

[RTB]ip route-static 192.168.1.0 255.255.255.0 Tunnel0

[RTB]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2

步驟二：模擬網(wǎng)絡(luò)故障

 [SWA-Vlan-interface2]shutdown

步驟三：檢查RTA上的隧道接口狀態(tài)

在RTA上檢查隧道接口狀態(tài)，發(fā)現(xiàn)隧道接口狀態(tài)仍然正常：

[RTA]display interface Tunnel 0

Tunnel0 current state: UP

Line protocol current state: UP

Description: Tunnel0 Interface

The Maximum Transmit Unit is 1472

Internet Address is 192.168.3.1/30 Primary

Encapsulation is TUNNEL, service-loopback-group ID not set.

Tunnel source 1.1.1.1, destination 2.2.2.1

Tunnel keepalive disable

Tunnel protocol/transport GRE/IP

    GRE key value is 1234

    Checksumming of GRE packets disabled

Output queue : (Urgent queuing : Size/Length/Discards)  0/100/0

Output queue : (Protocol queuing : Size/Length/Discards)  0/500/0

Output queue : (FIFO queuing : Size/Length/Discards)  0/75/0

    Last 300 seconds input:  0 bytes/sec, 0 packets/sec

    Last 300 seconds output:  0 bytes/sec, 0 packets/sec

    1016 packets input,  100223 bytes

    10 input error

    981 packets output,  41128 bytes

    0 output error

這說(shuō)明其無(wú)法了解對(duì)端變化情況。這是因?yàn)樵?/SPAN>RTA上，隧道源地址所屬接口正常，隧道目的地址所需的路由仍然存在。

步驟四：恢復(fù)網(wǎng)絡(luò)故障

[SWA-Vlan-interface2]undo shutdown

步驟五：配置隧道Keepalive

[RTA]interface Tunnel 0

[RTA-Tunnel0]keepalive

 

[RTB]interface Tunnel 0

[RTB-Tunnel0]keepalive

步驟六：模擬網(wǎng)絡(luò)故障

在RTA上啟動(dòng)debugging開(kāi)關(guān)：

<RTA>terminal monitor

<RTA>terminal debugging

<RTA>debugging gre all

<RTA>debugging tunnel all

關(guān)閉SWA的VLAN2接口，模擬公網(wǎng)路由突然發(fā)生故障。

[SWA-Vlan-interface2]shutdown

步驟七：觀察效果，檢驗(yàn)隧道連通性

在RTA上觀察debugging信息。輸出信息形如：

<RTA>

*Jun 26 17:31:54:794 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is UP, no change.

*Jun 26 17:31:55:508 2009 RTA TUNNEL/7/debug:

 Before encapsulation, the packet's ulLoopTimes is 0.

......

......

*Jun 26 17:32:55:968 2009 RTA TUNNEL/7/debug:

 Before encapsulation, the packet's ulLoopTimes is 0.

*Jun 26 17:33:00:293 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is UP, no change.

*Jun 26 17:33:05:332 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is UP, no change.

*Jun 26 17:33:06:45 2009 RTA TUNNEL/7/debug:

 Before encapsulation, the packet's ulLoopTimes is 0.

*Jun 26 17:33:10:369 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is UP, no change.

*Jun 26 17:33:15:408 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is UP, no change.

%Jun 26 17:33:16:168 2009 RTA TUNNEL/4/LINK UPDOWN:

 Tunnel0: link status is DOWN

%Jun 26 17:33:16:168 2009 RTA IFNET/4/UPDOWN:

 Line protocol on the interface Tunnel0 is DOWN

*Jun 26 17:33:16:168 2009 RTA TUNNEL/7/debug:

Tunnel0 down, because keepalive is not reached.

*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:

Can not get tunnel ID when tunnel(index = 0x2f0000) state is down.

*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:

Tunnel_DelTunnInUpTunnTbl: The tunnel(0x2f0000) state is down.

*Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:

 Before encapsulation, the packet's ulLoopTimes is 0.

*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:

Tunnel0 down, because keepalive is not reached.

*Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is DOWN, no change.

*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:

Tunnel0 down, because keepalive is not reached.

*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug:

Tunnel0 link state is DOWN, no change.

*Jun 26 17:33:26:203 2009 RTA TUNNEL/7/debug:

可見(jiàn)經(jīng)過(guò)一段時(shí)間后，Tunnel0接口狀態(tài)變?yōu)?/SPAN>DOWN，根據(jù)debugging信息，原因是keepalive消息丟失。

關(guān)閉debugging開(kāi)關(guān)，查看Tunnel0接口信息：

<RTA>undo debugging all

All possible debugging has been turned off

<RTA>display interface tunnel 0

Tunnel0 current state: DOWN

Line protocol current state: DOWN

Description: Tunnel0 Interface

The Maximum Transmit Unit is 1472

Internet Address is 192.168.3.1/30 Primary

Encapsulation is TUNNEL, service-loopback-group ID not set.

Tunnel source 1.1.1.1, destination 2.2.2.1

Tunnel keepalive enable, Period(10 s), Retries(3)

Tunnel protocol/transport GRE/IP

    GRE key value is 1234

    Checksumming of GRE packets disabled

Output queue : (Urgent queuing : Size/Length/Discards)  0/100/0

Output queue : (Protocol queuing : Size/Length/Discards)  0/500/0

Output queue : (FIFO queuing : Size/Length/Discards)  0/75/0

    Last 300 seconds input:  2 bytes/sec, 0 packets/sec

    Last 300 seconds output:  2 bytes/sec, 0 packets/sec

    1115 packets input,  101679 bytes

    10 input error

    1084 packets output,  44012 bytes

    0 output error

可見(jiàn)Tunnel0接口狀態(tài)確實(shí)已經(jīng)變?yōu)?/SPAN>DOWN。

在SWA上重新打開(kāi)VLAN2接口，過(guò)一段時(shí)間之后， Tunnel0接口狀態(tài)以及PCA與PCB之間的連通性可以恢復(fù)正常。