欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

ensp 三层架构配置

程序员文章站 2022-06-13 12:52:03
...

三层架构

ensp 三层架构配置

使用到的技术:
	多区域 ospf 
  dhcp
  nat
  端口映射
  
  gre over ipsec
  	配置前,验证两端是否互通

需求

ensp 三层架构配置

接入层

jieruA

sys
sysname jieruA


# 创建vlan
vlan batch 10 20 200

# 分配Access 端口
int e0/0/1
port link-type access 
port default vlan 10

# trunk
int e0/0/2 
port link-type trunk 
port trunk allow-pass vlan all

jieruB

sys
sysname jieruB

# 创建vlan
vlan batch 10 20 200

# 分配Access 端口
int e0/0/4
port link-type access 
port default vlan 20

# trunk
int e0/0/3 
port link-type trunk 
port trunk allow-pass vlan all

汇聚层

huijuA

sys
sysname huijuA

# 创建vlan
vlan batch 10 20 200


# trunk
int e0/0/3 
port link-type trunk 
port trunk allow-pass vlan all

int e0/0/2
port link-type trunk 
port trunk allow-pass vlan all

int e0/0/1
port link-type trunk 
port trunk allow-pass vlan all

huijuB

sys
sysname huijuB

# 创建vlan
vlan batch 10 20 200


# trunk
int e0/0/2 
port link-type trunk 
port trunk allow-pass vlan all

int e0/0/1
port link-type access 
port default vlan 200

核心层

sys
sysname core

# 创建vlan
vlan batch 10 20 200 800


# trunk
int g0/0/1 
port link-type trunk 
port trunk allow-pass vlan all

int g0/0/2
port link-type trunk 
port trunk allow-pass vlan all

int g0/0/3
port link-type access 
port default vlan 800

# vlan 管理 IP
int vlan 10
ip address 192.168.10.254  24

int vlan 20
ip address 192.168.20.254 24

int vlan 200
ip address 192.168.200.254 24

int vlan 800
ip address 192.168.254.1 30

# 配置dhcp(基于全局地址池的)
dhcp enable

ip pool dhcp10
dns-list 8.8.8.8
gateway-list 192.168.10.254
# 对应网段
network 192.168.10.0 mask 24 

# 应用
int vlan 10
dhcp select global 

ip pool dhcp20
dns-list 8.8.8.8
gateway-list 192.168.20.254
# 对应网段
network 192.168.20.0 mask 24 

# 应用
int vlan 20
dhcp select global 

# 配置ospf
ospf 100 router-id 1.1.1.1
area 0
network 0.0.0.0 255.255.255.255 


边界

AR1

sys
sysname AR1

# 配置ip
int g0/0/0
ip address 192.168.254.2 30

int g0/0/1
ip address 120.36.2.21 30

int s1/0/0
ip address 12.1.1.1 29

int lo 0 
ip address 2.2.2.2 32

# 默认路由
ip route-static 0.0.0.0 0.0.0.0 120.36.2.22

# nat 配置
acl 3000

###  只有下面三条时,会存在一个问题,内网访问web服务的时候,地址会被nat转换,而无法回包,暂时解决不来

# 需要配置ipsec vpn的话,需要排除福州分公司的
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255 
# 这条是为了解决上海分公司 通过本部nat访问 外网
rule 10 permit ip source 12.1.1.0 0.0.0.255
rule 15 permit ip source 192.168.0.0 0.0.255.255 


int g0/0/1
nat outbound 3000

# 端口映射,只能通过外网访问,内网通过接口地址访问不到。
int g0/0/1
# 这里需要手动输入个y
nat server protocol tcp global current-interface 80 inside 192.168.200.20 80


ospf 100 router-id 2.2.2.2
# 默认路由重分布
default-route-advertise 
area 0
network 192.168.254.0 0.0.0.3
network 2.2.2.2 0.0.0.0

# 宣告上海分公司
area 1
network 12.1.1.0 0.0.0.7

# gre 配置,这样只有14.1.1.0/24间通信才加密,需要将其他路由转到隧道上
int Tunnel 0/0/0
ip address 14.1.1.1 24 
tunnel-protocol gre 
# 这里不要用环回接口,否则加密不了通信流量
source 120.36.2.21
destination 218.85.157.99

# 配置ipsec vpn

## 创建proposal
ipsec proposal wlgc-proposal
esp encryption-algorithm 3des 
esp authentication-algorithm sha1
quit

## 创建ike
ike proposal 5
quit
ike peer spub v2

pre-shared-key cipher wlgc 
ike-proposal 5

quit
## 创建 profile
ipsec profile wlgc-profile
proposal wlgc-proposal
ike-peer spub

## 在隧道上,应用profile
int Tunnel 0/0/0
ipsec profile wlgc-profile 

quit
# gre 配合ospf,实现福州分部学习到总部路由
ospf 111
area 0 
network 14.1.1.0 0.0.0.255

互联网

internet

sys
sysname internet

# 配置ip
int g0/0/2
ip address 218.85.157.254 24

int g0/0/1
ip address 120.36.2.22 30

AR4

sys
sysname AR4

# 配置ip
int g0/0/0
ip address 172.16.1.254 24

int g0/0/1
ip address 218.85.157.99 24

int lo 0 
ip address 10.10.10.10 32

# 静态路由
ip route-static 0.0.0.0 0.0.0.0 218.85.157.254

# 配置ospf
ospf 100 router-id 10.10.10.10
area 0 
network 218.85.157.0 0.0.0.255
network 10.10.10.10  0.0.0.0

# nat 配置
acl 3000 

# 需要配置ipsec vpn的话,需要排除福州分公司的
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255 
rule 10 permit ip source 172.16.0.0 0.0.255.255

int g0/0/1
nat outbound 3000


# gre 配置,这样只有14.1.1.0/24间通信才加密,需要将其他路由转到隧道上
int Tunnel 0/0/0
ip address 14.1.1.2 24 
tunnel-protocol gre 
# 这里不要用环回接口,否则加密不了通信流量???
source 218.85.157.99
destination 120.36.2.21

# 配置ipsec vpn
## 创建proposal
ipsec proposal wlgc-proposal
esp encryption-algorithm 3des 
esp authentication-algorithm sha1
quit

## 创建ike
ike proposal 5
quit
ike peer spub v2

pre-shared-key cipher wlgc 
ike-proposal 5

quit
## 创建 profile
ipsec profile wlgc-profile
proposal wlgc-proposal
ike-peer spub

## 在隧道上,应用profile
int Tunnel 0/0/0
ipsec profile wlgc-profile 

quit
# gre 配合ospf,实现福州分部学习到总部路由
ospf 111
area 0 
network 14.1.1.0 0.0.0.255


上海分公司

AR2

sys
sysname AR2

# 配置ip
int s2/0/0
ip address 12.1.1.2 29

int g0/0/0
ip address 192.168.100.254 24

# 配置ospf
ospf 100 router-id 9.9.9.9 
area 1
network 0.0.0.0 255.255.255.255



结果图

核心层 路由表
ensp 三层架构配置




AR2 可以通过本部上网


AR4、AR1 只有在经过隧道时,才可以加密