| Пример конфигурирования туннеля |
|
| Добавил(а) microsin |
|
В этом примере показана настройка туннеля без применения шифрования. 1. Исходная конфигурация в Главном Офисе: 2651XM (MPC860P), Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(1), RELEASE SOFTWARE (fc3), c2600-adventerprisek9-mz.124-1.bin, 29396840 байт. Физически подключена только одним интерфейсом в локальную сеть Главного Офиса: interface FastEthernet0/0 ip address 10.25.100.81 255.255.0.0 2. Исходная конфигурация в N-ске: C831 (MPC857DSL), Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4), c831-k9o3sy6-mz.123-11.T3.bin, 8618636 байт. Физически роутер подключен одним интерфейсом в локальную сеть N-ска: interface Ethernet0 bandwidth 100000 ip address 10.41.0.254 255.255.240.0 и вторым интерфейсом к оборудованию провайдера, предоставляющего канал до Главного Офиса: interface Ethernet1 bandwidth 2000 ip address 172.23.10.65 255.255.255.252 3. Компьютер в N-ске 10.41.0.1/20 (PDC), компьютер в Главном Офисе 10.25.9.152/16 (WORKSTAT). 4. Без туннеля трафик идет по маршруту: PDC 5. С туннелем трафик идет по маршруту: PDC 6. Строки, которые нужно добавить на C831 для включения туннеля: interface Tunnel0 description Tunnel to Main Office bandwidth 2000 ip address 192.168.123.245 255.255.255.252 tunnel source 10.41.0.254 tunnel destination 10.25.100.81 7. Строки, которые нужно добавить на 2651XM для включения туннеля: interface Tunnel2 description Tunnel to N-sk bandwidth 2000 ip address 192.168.123.246 255.255.255.252 tunnel source 10.25.100.81 tunnel destination 10.41.0.254 8. Маршруты, которые надо добавить на 2651XM, чтобы из Главного Офиса была видна C831 и сеть N-ска: ip route 10.41.0.0 255.255.240.0 192.168.123.245 ip route 10.41.0.254 255.255.255.255 10.25.0.254 9. Нужно настроить маршрут на WORKSTAT до сети 10.41.0.0/20 через 2651XM (до этого туда был шлюз по умолчанию 10.25.0.254): route ADD 10.41.0.0 MASK 255.255.240.0 10.25.100.81 9a. Другой вариант - настроить на С4500 маршрут до сети 10.41.0.0/20 (тогда на WORKSTAT прописывать ничего не надо). Маршрут ip route 10.41.0.0 255.255.240.0 10.155.1.248 нужно переделать на ip route 10.41.0.0 255.255.240.0 10.25.100.81 10. В заключение - полные конфиги оборудования. Current configuration : 4892 bytes ! ! Last configuration change at 09:26:04 IZH Fri Oct 6 2006 by admin ! NVRAM config last updated at 09:21:11 IZH Fri Oct 6 2006 by admin ! version 12.3 no service pad service timestamps debug uptime service timestamps log datetime localtime service password-encryption ! hostname izev-831-10.41.0.254 ! boot-start-marker boot-end-marker ! memory-size iomem 5 logging buffered 64000 debugging enable secret 5 ... ! username admin privilege 15 secret 5 ... clock timezone IZH 3 clock summer-time IZH recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa session-id common ip subnet-zero ! ! no ip domain lookup ip name-server 10.25.0.42 ip ips po max-events 100 no ftp-server write-enable ! ! class-map match-all voip match access-group 160 class-map match-all limit2M match access-group 110 ! ! policy-map voip-p class voip priority percent 50 set ip precedence 5 class class-default fair-queue policy-map to_division class limit2M shape peak 2000000 service-policy voip-p ! ! interface Tunnel0
description Tunnel to Main Office
bandwidth 2000
ip address 192.168.123.245 255.255.255.252
tunnel source 10.41.0.254
tunnel destination 10.25.100.81
!
interface Ethernet0
bandwidth 100000
ip address 10.41.0.254 255.255.240.0
ip route-cache flow
no ip mroute-cache
no cdp enable
!
interface Ethernet1
bandwidth 2000
ip address 172.23.10.65 255.255.255.252
service-policy output to_division
ip route-cache flow
no ip mroute-cache
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router bgp 65459
no synchronization
bgp log-neighbor-changes
network 10.41.0.0 mask 255.255.240.0
neighbor 172.23.10.66 remote-as 21485
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.23.10.66
!
ip http server
no ip http secure-server
ip flow-export version 5
ip flow-export destination 10.25.100.77 9996
!
!
!
access-list 8 permit 10.25.100.77
access-list 101 permit udp any any range 16384 32768
access-list 101 permit udp any any precedence critical
access-list 102 permit tcp any eq 1720 any
access-list 102 permit tcp any any eq 1720
access-list 110 remark Traffic from izev
access-list 110 permit ip 10.41.0.0 0.0.15.255 10.0.0.0 0.255.255.255
access-list 160 remark -----------------------------
access-list 160 remark ----Nortel_VoIP_traffic------
access-list 160 permit tcp any any range 1720 1721
access-list 160 permit udp any any eq 1718
access-list 160 permit udp any any eq 1719
access-list 160 permit udp any any eq 4100
access-list 160 permit udp any any eq 5100
access-list 160 permit udp any any eq 7300
access-list 160 permit udp any any eq 5105
access-list 160 permit udp any any range 5200 5262
access-list 160 permit udp any any eq 5000
access-list 160 permit udp any any eq 15000
access-list 160 permit udp any any range 17300 17363
access-list 160 permit udp any any range 2001 2002
access-list 160 permit udp any any range 2300 2363
access-list 160 permit udp any range 5000 5201 any
access-list 160 permit udp any any range 16384 32768
snmp-server community ..... RW 8
snmp-server community ...... RO
snmp-server trap-source Ethernet0
snmp-server enable traps bgp
snmp-server enable traps syslog
snmp-server enable traps config
snmp-server host 10.25.100.77 .....
!
!
control-plane
!
banner login ^
ATTENTION !!!
Please Call to RIC .....
before make any aCtion to this Router.^
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17179062
ntp server 10.25.0.254 source Ethernet0
end
Current configuration : 3496 bytes ! ! Last configuration change at 05:25:38 UTC Fri Oct 6 2006 by admin ! NVRAM config last updated at 13:15:00 UTC Thu Oct 5 2006 by admin ! version 12.4 service timestamps debug datetime msec service timestamps log datetime localtime service password-encryption ! hostname 2651XM ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 ... ! ! resource policy ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip subnet-zero ! ! no ip dhcp use vrf connected ! ! ip cef no ip domain lookup ip domain name moskowoffice.com no ip ips deny-action ips-interface vpdn enable vpdn ip udp ignore checksum ! vpdn-group 1 ! Default L2TP VPDN group ! Default PPTP VPDN group accept-dialin protocol any virtual-template 1 ! username admin privilege 15 secret 5 ... ! crypto isakmp policy 10 authentication pre-share lifetime 28800 crypto isakmp key ..... address 10.25.2.5 ! ! crypto ipsec transform-set t-win esp-des esp-md5-hmac ! crypto map win 10 ipsec-isakmp set peer 10.25.2.5 set transform-set t-win match address l-ipsec ! interface Tunnel2
description Tunnel to N-sk
bandwidth 2000
ip address 192.168.123.246 255.255.255.252
tunnel source 10.25.100.81
tunnel destination 10.41.0.254
!
interface FastEthernet0/0
ip address 10.25.100.81 255.255.0.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
autodetect encapsulation ppp
peer default ip address pool p-ren
no keepalive
ppp authentication pap chap ms-chap
!
ip local pool p-ren 192.168.111.1 192.168.111.250
ip classless
ip route 0.0.0.0 0.0.0.0 10.25.0.254
ip route 10.41.0.0 255.255.248.0 192.168.123.245
ip route 10.41.0.254 255.255.255.255 10.25.0.254
!
!
ip http server
no ip http secure-server
!
ip access-list extended l-ipsec
permit ip 192.168.123.252 0.0.0.3 host 10.25.2.5
!
snmp-server community ren_ro RO
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
ntp clock-period 17208012
ntp server 10.25.0.254
!
end
|