Dynamic LAN-to-LAN ××× 之 Router-to-Router
2024-04-13 04:46:51
Router-to-Router Dynamic LAN-to-LAN ×××
1.拓扑
2.步骤
2.1基本连通性配置:
R5:
interface FastEthernet0/0
ip address 15.15.15.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 15.15.15.1
R1:
interface FastEthernet0/0
ip address 15.15.15.1 255.255.255.0
interface FastEthernet1/0
ip address 16.16.16.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 16.16.16.6
R6:
ip dhcp excluded-address 36.36.36.6
ip dhcp pool net36
network 36.36.36.0 255.255.255.0
default-router 36.36.36.6
interface FastEthernet0/0
ip address 36.36.36.6 255.255.255.0
interface FastEthernet1/0
ip address 16.16.16.6 255.255.255.0
interface Serial2/0
ip address 26.26.26.6 255.255.255.0
R2:
interface FastEthernet0/0
ip address 27.27.27.2 255.255.255.0
interface Serial2/0
ip address 26.26.26.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 26.26.26.6
R7:
interface FastEthernet0/0
ip address 27.27.27.7 255.255.255.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
R3:
interface FastEthernet0/0
ip address dhcp
interface FastEthernet0/1
ip address 38.38.38.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
R8:
interface FastEthernet1/0
ip address 38.38.38.8 255.255.255.0
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
2.2测试连通性:
R1到R2和R3的连通性:
R1#ping 36.36.36.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 36.36.36.1, timeout is 2 seconds:
.!!!.
Success rate is 60 percent (3/5), round-trip min/avg/max = 76/120/200 ms
R1#ping 26.26.26.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 26.26.26.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/66/100 ms
R1#
测试R1到北京内网和广州内网的连通性:
R1#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#
说明:虽然R1有指向R6的默认路由,但R6只有公网路由26.26.26.0、36.36.36.0和16.16.16.0,
只能保证R1、R2、R3之间的通信,所以R1无法与北京和广州的分公司内网通信。
同理:R5不能到达北京和广州内网:
R5# ping 27.27.27.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#ping 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
查看R6的路由表:
R6# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
16.0.0.0/24 is subnetted, 1 subnets
C 16.16.16.0 is directly connected, FastEthernet1/0
36.0.0.0/24 is subnetted, 1 subnets
C 36.36.36.0 is directly connected, FastEthernet0/0
26.0.0.0/24 is subnetted, 1 subnets
C 26.26.26.0 is directly connected, Serial2/0
R6#
2.3配置Dynamic LAN-to-LAN ×××:
1.在R1上配置IKE策略:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config-isakmp)#ex
2.在R1上配置通配符认证方法:
R1(config)#crypto keyring abc
R1(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
R1(config)#crypto isakmp profile ppp
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring abc
R1(conf-isa-prof)#match identity address 0.0.0.0
R1(conf-isa-prof)#ex
3.在R1上配置IPSec transform:
R1(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#ex
4.在R1上定义Dynamic map:
R1(config)#crypto dynamic-map mydyn 5
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#set isakmp-profile ppp
R1(config-crypto-map)#ex
R1(config)#
5.在R1上创建crypto map:
R1(config)#crypto map mymap 10 ipsec-isakmp dynamic mydyn
R1(config)#
6.在R1上将crypto map应用到出接口:
R1(config)#int f1/0
R1(config-if)#crypto map mymap
R1(config-if)#
*Mar 1 01:36:23.111: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ex
R1(config)#
7.使用常规LAN-to-LAN ×××的方式配置R2:
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#en 3
R2(config-isakmp)#ha s
R2(config-isakmp)#au p
R2(config-isakmp)#gr 2
R2(config-isakmp)#ex
R2(config)#crypto isakmp key 0 cisco123 address 16.16.16.1
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#ex
R2(config)#access-list 100 permit ip 27.27.27.0 0.0.0.255 15.15.15.0 0.0.0.255
R2(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 16.16.16.1
R2(config-crypto-map)#set transform-set myset
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#ex
R2(config)#int s2/0
R2(config-if)#crypto map l2l
R2(config-if)#
*Mar 1 01:56:13.811: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
8.广州供公司路由器R3(动态IP)的×××配置:
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#en 3
R3(config-isakmp)#au p
R3(config-isakmp)#ha s
R3(config-isakmp)#gr 2
R3(config-isakmp)#ex
R3(config)#crypto isakmp key 0 cisco123 add 16.16.16.1
R3(config)#crypto ipsec trans myset esp-3 esp-sha-h
R3(cfg-crypto-trans)#ex
R3(config)#access-list 100 per ip 38.38.38.0 0.0.0.255 15.15.15.0 0.0.0.255
R3(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 16.16.16.1
R3(config-crypto-map)#set trans myset
R3(config-crypto-map)#match add 100
R3(config-crypto-map)#ex
R3(config)#int f0/0
R3(config-if)#cry map l2l
R3(config-if)#
*Oct 18 19:30:46.219: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
3.验证
3.1首先验证北京和上海公司的×××连通性:
1.从Hub端上海公司R5向spoke端北京公司27.27.27.0发送流量:
R5#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
说明:Dynamic LAN-to-LAN ×××中,hub端是不能事先向spoke端发起流量来触发自己的SA建立的,所以上海到北京的流量不能通过。Hub端的SA只能有spoke端发送流量来触发。
2.从spoke端北京公司27.27.27.0向hub端上海公司R5发送流量:
R7#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 132/174/248 ms
R7#
说明:spoke端向hub端发送的流量成功穿越×××隧道。
3.再次从hub端R5向spoke端27.27.27.0发送流量:
R5#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/119/244 ms
R5#
说明:当从spoke端向hub端发送流量初始化后,hub端到spoke端的流量才能正常通过×××。
4.查看R1上的IKE SA的peers:
R1(config)#do show crypto isakmp peer
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
R1(config)#
5.查看R1上的IKE SA:
R1(config)#do show crypto isakmp sa
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1 0 ACTIVE
R1(config)#
6.查看R1上的IPSec SA:
R1(config)#do show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: mymap, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (27.27.27.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x41F65F0(69166576)
inbound esp sas:
spi: 0xAC742101(2893291777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395614/2615)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x41F65F0(69166576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395614/2612)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1(config)#
7.查看R1上的dynamic map相关参数:
R1(config)#do show crypto dynamic-map
Crypto Map Template"mydyn" 5
ISAKMP Profile: ppp
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
R1(config)#
3.2查看R2上的相关参数(参照R1):
R2#show cry isakmp peers
Peer: 16.16.16.1 Port: 500 Local: 26.26.26.2
Phase1 id: 16.16.16.1
R2#show cry isakmp sa
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1 0 ACTIVE
R2#show cry ipsec sa
interface: Serial2/0
Crypto map tag: l2l, local addr 26.26.26.2
protected vrf: (none)
local ident (addr/mask/prot/port): (27.27.27.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer 16.16.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0xAC742101(2893291777)
inbound esp sas:
spi: 0x41F65F0(69166576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4432449/2370)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAC742101(2893291777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4432449/2368)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#
3.3下面是广州公司路由器R3与上海路由器R1之间×××连通性的验证:
1.从hub端(上海公司路由器R5)向spoke端(广州公司38.38.38.0)发流量:
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
说明:和预期的一样,hub端不能事先向spoke端发起流量建立SA。
2.从spoke端(广州公司38.38.38.0)向hub端(上海公司R5)发送×××触发流量:
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
...!.
Success rate is 20 percent (1/5), round-trip min/avg/max = 204/204/204 ms
R8#
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 128/186/240 ms
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!.!..
Success rate is 40 percent (2/5), round-trip min/avg/max = 164/196/228 ms
R8#
说明:从spoke端(广州公司38.38.38.0)的流量成功穿越×××到达hub端。
3.再次从hub端(上海公司路由器R5)向spoke端(广州公司38.38.38.0)发流量:
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 204/217/228 ms
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 148/220/272 ms
R5#
说明:当从spoke端向hub端触发流量后,hub端与spoke端的流量才能通过×××。
4.查看R1上的相关参数:
R1#show cry isakmp peer
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
Peer: 36.36.36.1 Port: 500 Local: 16.16.16.1
Phase1 id: 36.36.36.1
R1#show cry isakmp sa
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1 0 ACTIVE
16.16.16.1 36.36.36.1 QM_IDLE 2 0 ACTIVE
R1#show cry ipsec sa
interface: FastEthernet1/0
Crypto map tag: mymap, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (27.27.27.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x41F65F0(69166576)
inbound esp sas:
spi: 0xAC742101(2893291777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395613/1046)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x41F65F0(69166576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395613/1043)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (38.38.38.0/255.255.255.0/0/0)
current_peer 36.36.36.1 port 500
PERMIT, flags={}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 36.36.36.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x23231BC(36843964)
inbound esp sas:
spi: 0xDA7CCED8(3665612504)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4419243/3185)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x23231BC(36843964)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4419242/3181)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
5.查看广州路由器R3上的相关参数:
R3#show cry isakmp peers
Peer: 16.16.16.1 Port: 500 Local: 36.36.36.1
Phase1 id: 16.16.16.1
R3#show cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
16.16.16.1 36.36.36.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: l2l, local addr 36.36.36.1
protected vrf: (none)
local ident (addr/mask/prot/port): (38.38.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer 16.16.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 36.36.36.1, remote crypto endpt.: 16.16.16.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDA7CCED8(3665612504)
inbound esp sas:
spi: 0x23231BC(36843964)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4576678/3065)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDA7CCED8(3665612504)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4576679/3065)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#
4.测试NAT对Dynamic LAN-to-LAN ×××的影响:
4.1在R3上配置NAT:
R3(config)#int f0/0
R3(config-if)#ip nat outside
*Oct 18 20:19:27.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R3(config-if)#int f0/1
R3(config-if)#ip nat inside
R3(config-if)#ex
R3(config)#access-list 110 permit ip any any
R3(config)#ip nat inside source list 110 interface f0/0 overload
4.2测试hub端R5发往北京公司(没有NAT)和广州公司(有NAT)的流量情况:
R5#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/157/208 ms
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
4.3查看广州路由器R3上的NAT转换情况:
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 36.36.36.1:5 38.38.38.8:5 15.15.15.5:5 15.15.15.5:5
R3#
说明:可以看到广州公司38.38.38.0去往上海15.15.15.0的流量呗NAT转换了,所以最后没能通过IPSec。
4.4在R3上配置ACL使感兴趣流量绕过NAT:
R3(config)#no access-list 110
R3(config)#access-list 110 deny ip 38.38.38.0 0.0.0.255 15.15.15.0 0.0.0.255
R3(config)#access-list 110 permit ip any any
R3(config)#exit
R3#clear ip nat translation *
R3#
4.5再次从上海15.15.15.0向广州38.38.38.0和北京27.27.27.0发送流量:
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 212/261/340 ms
R5#
R5#ping 27.27.27.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/137/216 ms
R5#
说明:配置ACL绕过NAT,上海公司到北京和广州的流量再次通过IPsec ×××隧道穿越了Internet。因此在IPSec ×××中,保证需要被IPSec保护的流量绕过NAT转换,否则×××连通失败。
5.发现一个疑问,请求高手指点。
为什么上海公司15.15.15.0和广州公司R8 38.38.38.8之间互相ping的结果都是!.!.! ?上海和R3的38.38.38.3之间ping的结果却正常。
请看:
R1#ping 38.38.38.8 so 15.15.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
Packet sent with a source address of 15.15.15.1
.!...
Success rate is 20 percent (1/5), round-trip min/avg/max = 156/156/156 ms
R1#
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 212/261/340 ms
R5#
R8#ping 15.15.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.1, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 172/184/196 ms
R8#
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 160/197/260 ms
R8#
R3的38.38.38.3与上海15.15.15.0之间ping正常:
R3#ping 15.15.15.5 so 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
Packet sent with a source address of 38.38.38.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/235/340 ms
R3#
R3#ping 15.15.15.5 so 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
Packet sent with a source address of 38.38.38.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/126/172 ms
R3#
R5#ping 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/155/212 ms
R5#
R1#ping 38.38.38.3 so 15.15.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.3, timeout is 2 seconds:
Packet sent with a source address of 15.15.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/110/144 ms
R1#
R3和R2的唯一区别就是R3的外部接口配置的IP是DHCP。
转载于:https://blog.51cto.com/henuxzy/1031007
Dynamic LAN-to-LAN ××× 之 Router-to-Router相关推荐
- 配置ASA 7.x to Router LAN−to−LAN IPsec Tunnel
配置ASA 7.x to Router LAN−to−LAN IPsec Tunnel 详细配置见附件
- 前端笔记(11) Vue3 Router 编程式导航 router.push router.replace
什么是编程式导航? 在上篇博客Vue3 Router 监听路由参数变化中,我们使用 <router-link> 创建 a 标签来定义导航链接: <router-link to=&qu ...
- mysql router docker_MySQL Router 完全讲解
MySQL Router 是一款轻量级 MySQL 中间件,提供应用与任意 MySQL 后端服务器的透明路由.同时插件式架构也方便开发者扩展其功能. 1. 安装 rpm -ivh mysql-rout ...
- 什么是5G LAN 5G LAN商用爆发推动5G创新应用 提速数字转型新引擎
继元宇宙风口之后,最近又有一个热词席卷物联网企业圈--5G LAN. 5G时代,在"4G改变生活,5G改变社会"的推动下,5G肩负着"万物互联,助力千行百业数字化转型&q ...
- Vue Router 使用router.beforEach出现无限重定向问题解决Detected an infinite redirection in a navigation guard when
在使用VueRouter的全局前置守卫进行登录鉴权操作时,路由报错'Detected an infinite redirection in a navigation guard when going ...
- pppoe拨号上网 路由器(Router) 网关
方案一(推荐):需要一台宽带路由器(80元左右) 把ADSL的LAN口接到宽带路由器的WLAN口,再把你的两台XP系统接到宽带路由器的LAN口上(一般宽带路由器有4个LAN口,你可以4台电脑同时共享上 ...
- vue router 参数_Vue.js项目开发技术解析
Vue.js项目开发技术解析 一.Vue.js实例 在一个Vue.js工程中,用于显示内容最基层的实例称之为根实例.通过该实例可以进行页面或组件的更新和显示.对于项目本身而言,无论是什么样的页面,都要 ...
- Vue Router的详细教程
Vue Router的详细教程 安装 #直接下载 / CDN https://unpkg.com/vue-router/dist/vue-router.js Unpkg.com 提供了基于 NPM 的 ...
- 使用React Router v4的嵌套路由
React Router v4 introduced a new declarative, component based approach to routing. With that approac ...
- React Router入门指南
by Nader Dabit 纳德·达比特(Nader Dabit) React Router入门指南 (Beginner's Guide to React Router) Or what I wis ...
最新文章
- Tensorflow-gpu 在Anaconda中使用出现问题的解决方式
- python不带颜色的图形_如何使用Matplotlib设置图形背景颜色的不透明度 - python
- python创建文件名称_如何在Python中创建递增文件名?
- Struts2中的链接标签 s:url和s:a
- 位运算-查找数组中唯一成对的数
- spring boot 自动跳转登录页面_徒手撸一个扫码登录示例工程
- 【MATLAB、深度学习】AlexNet及VGG神经网络在MATLAB上的应用
- 美妆海报模板|来点创意的海报设计(立体剪纸风格)
- 【Linux】Linux中常见的文件管理以及常用的符号命令的总结
- 查看其他计算机的共享资源,NetResView (共享资源查看)
- 剑指offer之正则表达式匹配
- 无法向会话状态服务器发出回话状态请求
- python相机标定
- 解决win10的WiFi图标消失、win10打开或关闭系统图标网络灰色问题
- Lingo 基本使用
- Windows下让Tomcat6定时重启服务的方法
- 知网获取论文参考文献
- HDU - 1166 敌兵布阵(线段树模板)(入门题)
- 关于文件读写缓存的问题(flush的使用场景)
- nodeMCU_esp8266管脚示意图/特殊管脚的使用避坑(D3/D4/D8/..)