ensp 三层架构配置
程序员文章站
2022-06-13 12:52:03
...
三层架构
使用到的技术:
多区域 ospf
dhcp
nat
端口映射
gre over ipsec
配置前,验证两端是否互通
需求
接入层
jieruA
sys
sysname jieruA
# 创建vlan
vlan batch 10 20 200
# 分配Access 端口
int e0/0/1
port link-type access
port default vlan 10
# trunk
int e0/0/2
port link-type trunk
port trunk allow-pass vlan all
jieruB
sys
sysname jieruB
# 创建vlan
vlan batch 10 20 200
# 分配Access 端口
int e0/0/4
port link-type access
port default vlan 20
# trunk
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
汇聚层
huijuA
sys
sysname huijuA
# 创建vlan
vlan batch 10 20 200
# trunk
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
int e0/0/2
port link-type trunk
port trunk allow-pass vlan all
int e0/0/1
port link-type trunk
port trunk allow-pass vlan all
huijuB
sys
sysname huijuB
# 创建vlan
vlan batch 10 20 200
# trunk
int e0/0/2
port link-type trunk
port trunk allow-pass vlan all
int e0/0/1
port link-type access
port default vlan 200
核心层
sys
sysname core
# 创建vlan
vlan batch 10 20 200 800
# trunk
int g0/0/1
port link-type trunk
port trunk allow-pass vlan all
int g0/0/2
port link-type trunk
port trunk allow-pass vlan all
int g0/0/3
port link-type access
port default vlan 800
# vlan 管理 IP
int vlan 10
ip address 192.168.10.254 24
int vlan 20
ip address 192.168.20.254 24
int vlan 200
ip address 192.168.200.254 24
int vlan 800
ip address 192.168.254.1 30
# 配置dhcp(基于全局地址池的)
dhcp enable
ip pool dhcp10
dns-list 8.8.8.8
gateway-list 192.168.10.254
# 对应网段
network 192.168.10.0 mask 24
# 应用
int vlan 10
dhcp select global
ip pool dhcp20
dns-list 8.8.8.8
gateway-list 192.168.20.254
# 对应网段
network 192.168.20.0 mask 24
# 应用
int vlan 20
dhcp select global
# 配置ospf
ospf 100 router-id 1.1.1.1
area 0
network 0.0.0.0 255.255.255.255
边界
AR1
sys
sysname AR1
# 配置ip
int g0/0/0
ip address 192.168.254.2 30
int g0/0/1
ip address 120.36.2.21 30
int s1/0/0
ip address 12.1.1.1 29
int lo 0
ip address 2.2.2.2 32
# 默认路由
ip route-static 0.0.0.0 0.0.0.0 120.36.2.22
# nat 配置
acl 3000
### 只有下面三条时,会存在一个问题,内网访问web服务的时候,地址会被nat转换,而无法回包,暂时解决不来
# 需要配置ipsec vpn的话,需要排除福州分公司的
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
# 这条是为了解决上海分公司 通过本部nat访问 外网
rule 10 permit ip source 12.1.1.0 0.0.0.255
rule 15 permit ip source 192.168.0.0 0.0.255.255
int g0/0/1
nat outbound 3000
# 端口映射,只能通过外网访问,内网通过接口地址访问不到。
int g0/0/1
# 这里需要手动输入个y
nat server protocol tcp global current-interface 80 inside 192.168.200.20 80
ospf 100 router-id 2.2.2.2
# 默认路由重分布
default-route-advertise
area 0
network 192.168.254.0 0.0.0.3
network 2.2.2.2 0.0.0.0
# 宣告上海分公司
area 1
network 12.1.1.0 0.0.0.7
# gre 配置,这样只有14.1.1.0/24间通信才加密,需要将其他路由转到隧道上
int Tunnel 0/0/0
ip address 14.1.1.1 24
tunnel-protocol gre
# 这里不要用环回接口,否则加密不了通信流量
source 120.36.2.21
destination 218.85.157.99
# 配置ipsec vpn
## 创建proposal
ipsec proposal wlgc-proposal
esp encryption-algorithm 3des
esp authentication-algorithm sha1
quit
## 创建ike
ike proposal 5
quit
ike peer spub v2
pre-shared-key cipher wlgc
ike-proposal 5
quit
## 创建 profile
ipsec profile wlgc-profile
proposal wlgc-proposal
ike-peer spub
## 在隧道上,应用profile
int Tunnel 0/0/0
ipsec profile wlgc-profile
quit
# gre 配合ospf,实现福州分部学习到总部路由
ospf 111
area 0
network 14.1.1.0 0.0.0.255
互联网
internet
sys
sysname internet
# 配置ip
int g0/0/2
ip address 218.85.157.254 24
int g0/0/1
ip address 120.36.2.22 30
AR4
sys
sysname AR4
# 配置ip
int g0/0/0
ip address 172.16.1.254 24
int g0/0/1
ip address 218.85.157.99 24
int lo 0
ip address 10.10.10.10 32
# 静态路由
ip route-static 0.0.0.0 0.0.0.0 218.85.157.254
# 配置ospf
ospf 100 router-id 10.10.10.10
area 0
network 218.85.157.0 0.0.0.255
network 10.10.10.10 0.0.0.0
# nat 配置
acl 3000
# 需要配置ipsec vpn的话,需要排除福州分公司的
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 10 permit ip source 172.16.0.0 0.0.255.255
int g0/0/1
nat outbound 3000
# gre 配置,这样只有14.1.1.0/24间通信才加密,需要将其他路由转到隧道上
int Tunnel 0/0/0
ip address 14.1.1.2 24
tunnel-protocol gre
# 这里不要用环回接口,否则加密不了通信流量???
source 218.85.157.99
destination 120.36.2.21
# 配置ipsec vpn
## 创建proposal
ipsec proposal wlgc-proposal
esp encryption-algorithm 3des
esp authentication-algorithm sha1
quit
## 创建ike
ike proposal 5
quit
ike peer spub v2
pre-shared-key cipher wlgc
ike-proposal 5
quit
## 创建 profile
ipsec profile wlgc-profile
proposal wlgc-proposal
ike-peer spub
## 在隧道上,应用profile
int Tunnel 0/0/0
ipsec profile wlgc-profile
quit
# gre 配合ospf,实现福州分部学习到总部路由
ospf 111
area 0
network 14.1.1.0 0.0.0.255
上海分公司
AR2
sys
sysname AR2
# 配置ip
int s2/0/0
ip address 12.1.1.2 29
int g0/0/0
ip address 192.168.100.254 24
# 配置ospf
ospf 100 router-id 9.9.9.9
area 1
network 0.0.0.0 255.255.255.255
结果图
核心层 路由表
AR2 可以通过本部上网
AR4、AR1 只有在经过隧道时,才可以加密