華為路由器配置知識(shí)點(diǎn)、筆試面試

PAGE10頁共PAGE10頁共107頁第華為路由器配置命令表計(jì)算機(jī)命令~~~~~~~~~~PCAlogin:root root用戶password:linux linux#shutdown-hnow ；關(guān)機(jī)init0 ；關(guān)機(jī)#logout ；用戶注銷login ；用戶登錄ifconfig IP地址#ifconfigeth0<ipaddress>netmask<netmask> #ifconfigeht0<ipaddress>netmask<netmask>down #routeaddgw<ip> ；設(shè)置網(wǎng)關(guān)#routedelgwip> ；刪除網(wǎng)關(guān)#routeadddefaultgwip> ；設(shè)置網(wǎng)關(guān)#routedeldefaultgwip> ；刪除網(wǎng)關(guān)#route ；顯示網(wǎng)關(guān)#pingip> ECHO包telnetip> ；遠(yuǎn)程登錄－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－交換機(jī)命令~~~~~~~~~~[Quidway]discur ；顯示當(dāng)前配置[Quidway]displaycurrent-configuration ；顯示當(dāng)前配置[Quidway]displayinterfaces [Quidway]displayvlanall [Quidway]displayversion ；顯示版本信息[Quidway]superpassword [Quidway]sysname ；交換機(jī)命名[Quidway]interfaceethernet0/1 ；進(jìn)入接口視圖[Quidway]interfacevlanx ；進(jìn)入接口視圖[Quidway-Vlan-interfacex]ipaddress ；配置VLAN的IP地址[Quidway]iproute-static ；靜態(tài)路由＝網(wǎng)關(guān)[Quidway]rip ；三層交換支持[Quidway]local-userftp[Quidway]user-interfacevty04 ；進(jìn)入虛擬終端[S3026-ui-vty0-4]authentication-modepassword ；設(shè)置口令模式[S3026-ui-vty0-4]setauthentication-modepasswordsimple222 ；設(shè)置口令[S3026-ui-vty0-4]userprivilegelevel3 ；用戶級(jí)別[Quidway]interfaceethernet0/1 ；進(jìn)入端口模式[Quidway]inte0/1 ；進(jìn)入端口模式[Quidway-Ethernet0/1]duplexhalf|full|auto} ；配置端口工作狀態(tài)[Quidway-Ethernet0/1]speed10|100|auto} ；配置端口工作速率[Quidway-Ethernet0/1]flow-control ；配置端口流控[Quidway-Ethernet0/1]mdi{across|auto|normal} ；配置端口平接扭接[Quidway-Ethernet0/1]portlink-type{trunk|access|hybrid} ；設(shè)置端口工作模式[Quidway-Ethernet0/1]portaccessvlan3 [Quidway-Ethernet0/2]porttrunkpermitvlan{ID|All} 允許的VLAN[Quidway-Ethernet0/3]porttrunkpvidvlan3 設(shè)置trunk端口的PVID[Quidway-Ethernet0/1]undoshutdown ；激活端口[Quidway-Ethernet0/1]shutdown ；關(guān)閉端口[Quidway-Ethernet0/1]quit ；返回[Quidway]vlan3 [Quidway-vlan3]portethernet0/1 VLAN中增加端口[Quidway-vlan3]porte0/1 ；簡(jiǎn)寫方式[Quidway-vlan3]portethernet0/1toethernet0/4 VLAN中增加端口[Quidway-vlan3]porte0/1toe0/4 ；簡(jiǎn)寫方式[Quidway]monitor-port<interface_typeinterface_num> ；指定鏡像端口[Quidway]portmirror<interface_typeinterface_num> 指定被鏡像端口[Quidway]portmirrorint_listobserving-portint_typeint_num；指定鏡像和被鏡像[Quidway]descriptionstring [Quidway]description VLAN描述字符[Quidway]displayvlanvlan_id] ；查看VLAN設(shè)置[Quidway]stpenable|disable} ,默認(rèn)關(guān)閉[Quidway]stppriority4096 ；設(shè)置交換機(jī)的優(yōu)先級(jí)[Quidway]stproot{primary|secondary} ；設(shè)置為根或根的備份[Quidway-Ethernet0/1]stpcost200 ；設(shè)置交換機(jī)端口的花費(fèi)[Quidway]link-aggregatione0/1toe0/4ingress|both ; 端口的聚合[Quidway]undolink-aggregatione0/1|all ; 始端口為通道號(hào)[SwitchA-vlanx]isolate-user-vlanenable [SwitchA]isolate-user-vlan<x>secondary<list> 括的子vlan[Quidway-Ethernet0/2]porthybridpvidvlanid> vlan的pvid[Quidway-Ethernet0/2]porthybridpvid ；刪除vlan的pvid[Quidway-Ethernet0/2]porthybridvlanvlan_id_listuntagged 標(biāo)識(shí)的vlanvlanid與PVIdvlan信息.默認(rèn)PVID=1。所以設(shè)置PVIDvlanid,vlanuntagged.－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－路由器命令~~~~~~~~~~[Quidway]displayversion ；顯示版本信息[Quidway]displaycurrent-configuration ；顯示當(dāng)前配置[Quidway]displayinterfaces ；顯示接口信息[Quidway]displayiproute ；顯示路由信息[Quidway]sysnameaabbcc ；更改主機(jī)名[Quidway]superpasswrod123456 ；設(shè)置口令[Quidway]interfaceserial0 ；進(jìn)入接口[Quidway-serial0]ipaddressip>mask|mask_len> IP地址[Quidway-serial0]undoshutdown ；激活端口[Quidway]link-protocolhdlc hdlc協(xié)議[Quidway]user-interfacevty04[Quidway-ui-vty0-4]authentication-modepassword[Quidway-ui-vty0-4]setauthentication-modepasswordsimple222[Quidway-ui-vty0-4]userprivilegelevel3[Quidway-ui-vty0-4]quit[Quidway]debugginghdlcallserial0 [Quidway]debugginghdlceventserial0 [Quidway]debugginghdlcpacketserial0 靜態(tài)路由：[Quidway]iproute-static<ip><mask>{interfacenumber|nexthop}[value][reject|blackhole]例如：[Quidway]iproute-static16[Quidway]iproute-static[Quidway]iproute-static16Serial2[Quidway]iproute-static動(dòng)態(tài)路由：[Quidway]rip[Quidway]ripwork[Quidway]ripinput[Quidway]ripoutput；設(shè)置動(dòng)態(tài)路由；設(shè)置工作允許；設(shè)置入口允許；設(shè)置出口允許[Quidway-rip]network ；設(shè)置交換路由網(wǎng)絡(luò)[Quidway-rip]networkall ；設(shè)置與所有網(wǎng)絡(luò)交換[Quidway-rip]peerip-address ；[Quidway-rip]summary ；路由聚合[Quidway]ripversion1 1[Quidway]ripversion2multicast 2，多播方式[Quidway-Ethernet0]ripsplit-horizon ；水平分隔idA.B.C.D [Quidway]ospfenable ；啟動(dòng)OSPF協(xié)議[Quidway-ospf]import-routedirect ；引入直聯(lián)路由[Quidway-Serial0]ospfenableareaarea_id> ；配置OSPF區(qū)域標(biāo)準(zhǔn)訪問列表命令格式如下：acl<acl-numbermatch-orderconfig|auto] ；默認(rèn)前者順序匹配。rule[normal|special]{permit|deny}[sourcesource-addrsource-wildcard|any]例：[Quidway]acl10[Quidway-acl-10]rulenormalpermitsource55[Quidway-acl-10]rulenormaldenysourceany配置TCP/UDP協(xié)議的擴(kuò)展訪問列表：rule{normal|special}{permit|deny}{tcp|udp}source{<ipwild>|any}destination<ipwild>|any}[operate]ICMP協(xié)議的擴(kuò)展訪問列表：rule{normal|special}{permit|deny}icmpsource{<ipwild>|any]destination{<ipwild>|any][icmp-code][logging]擴(kuò)展訪問控制列表操作符的含義equalportnumber ；等于greater-thanportnumber ；大于less-thanportnumber ；小于not-equalportnumber ；不等rangeportnumber1portnumber2 ；區(qū)間擴(kuò)展訪問控制列表舉例[Quidway]acl101[Quidway-acl-101]ruledenysouceanydestinationany[Quidway-acl-101]rulepermiticmpsourceanydestinationanyicmp-typeecho[Quidway-acl-101]rulepermiticmpsourceanydestinationanyicmp-typeecho-reply[Quidway]acl102[Quidway-acl-102]rulepermitipsourcedestination[Quidway-acl-102]ruledenyipsourceanydestinationany[Quidway]acl103[Quidway-acl-103]rulepermittcpsourceanydestinationdestination-portequalftp[Quidway-acl-103]rulepermittcpsourceanydestinationdestination-portequalwww[Quidway]firewallenable[Quidway]firewalldefaultpermit|deny[Quidway]inte0[Quidway-Ethernet0]firewallpacket-filter101inbound|outbound地址轉(zhuǎn)換配置舉例[Quidway]firewallenable[Quidway]firewalldefaultpermit[Quidway]acl101 e0[Quidway-acl-101]ruledenyipsourceanydestinationany[Quidway-acl-101]rulepermitipsource0destinationany[Quidway-acl-101]rulepermitipsource0destinationany[Quidway-acl-101]rulepermitipsource0destinationany[Quidway-acl-101]rulepermitipsource0destinationany[Quidway-acl-101]quit[Quidway]inte0[Quidway-Ethernet0]firewallpacket-filter101inbound[Quidway]acl102 1024端口的數(shù)據(jù)包S0[Quidway-acl-102]ruledenyipsourceanydestinationany[Quidway-acl-102]rulepermittcpsource0destination0[Quidway-acl-102]rulepermittcpsourceanydestination0destination-portgreat-than1024[Quidway-acl-102]quit[Quidway]ints0[Quidway-Serial0]firewallpacket-filter102inbound IP。QudaSea0natoubound11neace 是Eayacl11P變換源地址。(nat)：natserverglobal<ip>[port]inside<ip>port[protocol] ;global_port不寫時(shí)使用inside_port[Quidway-Serial0]natserverglobalinsideftptcp[Quidway-Serial0]natserverglobalinsidetelnettcp[Quidway-Serial0]natserverglobalinsidewwwtcp網(wǎng)IP：01~03可以使用。 對(duì)外訪問(原例題)[Quidway]nataddress-group0103pool1 ;建立地址池[Quidway]acl1[Quidway-acl-1]rulepermitsource55 ;指定允許的內(nèi)部網(wǎng)絡(luò)[Quidway-acl-1]ruledenysourceany[Quidway-acl-1]intserial0[Quidway-Serial0]natoutbound1address-grouppool1 IP對(duì)外訪問[Quidway-Serial0]natserverglobal01insideftptcp[Quidway-Serial0]natserverglobal02insidewwwtcp[Quidway-Serial0]natserverglobal028080insidewwwtcp[Quidway-Serial0]natserverglobal03insidesmtpudpPPP設(shè)置：[Quidway-s0]link-protocolppp ;默認(rèn)的協(xié)議PPP驗(yàn)證：pap|chap[Quidway]local-userq2passwordsimple|cipherhello [Quidway]interfaceserial0[Quidway-serial0]pppauthentication-mode{pap|chap}[Quidway-serial0]pppchapuserq1 ;pap時(shí)，沒有此句pap被驗(yàn)方：[Quidway]interfaceserial0 ;2[Quidway-serial0]ppppaplocal-userq2password{simple|cipher}hellochap被驗(yàn)方：[Quidway]interfaceserial0 2[Quidway-serial0]pppchapuserq2 ;自己路由器名[Quidway-serial0]local-userq1password{simple|cipher}hello ;對(duì)方路由器名frame-relay [q1]frswitching[q1]ints1[q1-Serial1]ipaddress1[q1-Serial1]link-protocolfr ;封裝幀中繼協(xié)議[q1-Serial1]frinterface-typedce[q1-Serial1]frdlci100[q1-Serial1]frinarp[q1-Serial1]frmapip2dlci100[q2]ints1[q2-Serial1]ipaddress2[q2-Serial1]link-protocolfr[q2-Serial1]frinterface-typedte[q2-Serial1]frdlci100[q2-Serial1]frinarp[q2-Serial1]frmapip1dlci100幀中繼監(jiān)測(cè)[q1]displayfrlmi-info[]interfacetypenumber][q1]displayfrmap[q1]displayfrpvc-info[serialinterface-number][dlcidlci-number][q1]displayfrdlci-switch[q1]displayfrinterface[q1]resetfrinarp-info[q1]debuggingfrall[interfacetypenumber][q1]debuggingfrarp[interfacetypenumber][q1]debuggingfrevent[interfacetypenumber][q1]debuggingfrlmi[interfacetypenumber]ftp服務(wù)：[Quidway]local-userftppassword{simple|cipher}aaaservice-typeftp[Quidway]ftpserverenable備就差不多功能Cisco命令華為命令全局模式#configureterminal<Quidway>system當(dāng)前配置showrunning-configdisplaycurrent-configuration版本信息showversiondisplayversion顯示vlan信息showvlandisplayvlan接口信息showinterface接口displayinterface接口機(jī)路由器命名hostname主機(jī)名sysname主機(jī)名特權(quán)密碼enablepassword密碼(明文)enablesecret密碼(密文)superpassword密碼接口模式interface接口interface接口進(jìn)入vlan模式interfacevlanvlan號(hào)interfacevlanvlan號(hào)IPipaddress<ip><掩碼>ipaddress<ip><掩碼>配telnet密碼linevty04password密碼loginuser-interfacevty04authentication-modepasswordsetauthentication-modepasswordsimple密碼userprivilegelevel3激活端口noshutdownundoshutdown關(guān)閉端口shutdownshutdown退出exitquit創(chuàng)建VLANvlan號(hào)vlan號(hào)VLAN中增加端口porte0/1porte0/2toe0/4端口加入到VLANswitchportaccessvlanvlan號(hào)portaccessvlanvlan號(hào)端口工作模式switchportmodetrunk|access|dynamicportlink-typetrunk|access|hybrid設(shè)trunk允許的VLANswitchporttrunkallowedvlanremove|addIDporttrunkpermitvlanID|All鏡像端口monitorsession1destinationint接口monitor-port接口被鏡像端口monitorsession1sourceintbothportmirror接口生成樹啟動(dòng)與否spanning-treevlanvlan號(hào)(默認(rèn)開啟)stpenable|disable(默認(rèn)關(guān)閉)端口interfacerangef0/1–link-aggregatione0/1toe0/4的聚合4channel-group1modeoningress|bothundolink-aggregatione0/1|allvlanisolate-user-vlanenablevlan包括的子vlanisolate-user-vlan<x>secondary<vlan-list>路由信息showiproutedisplayiproute綁定HDLC協(xié)議默認(rèn)就是link-protocolhdlc態(tài)路由iproute接口iproute-staticIP/接口啟用RIP路由routerripripripworkripinputripoutput路由器的IDintloopback0ipaddIProuteridA.B.C.D啟動(dòng)OSPF協(xié)議routerospf進(jìn)程號(hào)ospfenable配置OSPF區(qū)域net網(wǎng)絡(luò)號(hào)反向掩碼area<area_id>int接口ospfenablearea<area_id>ACL式access-list列表號(hào)源IP反向掩碼acl<acl-number>[match-orderconfig|auto]rule[normal|special]{permit|deny}[sourcesource-addrsource-wildcard|any]access-list列表號(hào)permit|denyIPIPeq端口號(hào)acl<acl-number>[match-orderconfig|auto]rule{normal|special}{permit|deny}{tcp|udp}source{<ipwild>|any}destinationipwild>|anyeq服務(wù)名PPP設(shè)置encapsulationppplink-protocolpppPap認(rèn)證主認(rèn)證方(config)#usernamepassword密碼(config)#int串口接口(config-if)#pppauthenticationpap被認(rèn)證方(config)#int串口接口(config-if)#ppppapsent-username用戶名password密碼主認(rèn)證方local-user用戶名passwordsimple|cipher}密碼interface串口接口pppauthentication-modepap被認(rèn)證方interface串口接口ppppaplocal-userpassword{simple|cipher}密碼Chap認(rèn)證主認(rèn)證方(config)#username客戶端主機(jī)名password密碼(config)#int串口接口(config-if)#pppauthentication(config-if)#pppchaphostname服務(wù)器主主認(rèn)證方local-userpasswordsimple|cipher}密碼interface串口接口pppauthentication-modechappppchapuser自己主機(jī)名被認(rèn)證方interface串口接口機(jī)名local-userpasswordsimple|cipher}被認(rèn)證方密碼(config)#username服務(wù)器主機(jī)名pppchapuser自己主機(jī)名password密碼(config)#int串口接口(config-if)#pppchaphostname客戶端主機(jī)名IP并激活；在接口上啟用NAT；內(nèi)部接口：ipnat靜insideinterface接口nat外部接口：ipnatoutsidenatserverglobal<ip>[port]inside<ip>port[protocol](3)建立靜態(tài)地址轉(zhuǎn)換(config)#ipnatinsidesourcestaticIPIPIP(1)并激活；建立地址池(2)在接口上啟用address-groupIP動(dòng)NAT；IPpoolNAT1內(nèi)部接口：ipnatinsideACLacl列表號(hào)外部接口：ipnatoutside(3)定義內(nèi)網(wǎng)允許訪問rulepermitsource反向掩碼ACL(config)#access-listruledenysourceany(3)實(shí)現(xiàn)地址轉(zhuǎn)換列表號(hào)int公網(wǎng)接口IPnatoutboundaddress-grouppool反向掩碼1(4)IP地址池(config)#ipnatpoolIPIPnetmask掩碼(5)實(shí)現(xiàn)地址轉(zhuǎn)換(config)#ipnatinsidesourcelistpool地址池名Isatap-6to4隧道R1的配置Router>enaRouter#conftRouter(config)#noipdomain-loRouter(config)#linec0Router(config-line)#exec-t0Router(config-line)#loggsRouter(config-line)#exitRouter(config)#hostR1R1(config)#ipvuR1(config)#intf0/0R1(config-if)#ipaddR1(config-if)#noshutR1(config-if)#exitR1(config)#intf1/0R1(config-if)#ipaddR1(config-if)#noshutR1(config-if)#exitR1(config)#routerospf1R1(config-router)#router-idR1(config-router)#net55a0R1(config-router)#net55a0R1(config-router)#exitR2的配置Router>enaRouter#conftRouter(config)#noipdomain-loRouter(config)#linec0Router(config-line)#exec-t0Router(config-line)#loggsRouter(config-line)#exitRouter(config)#hostR2R2(config)#ipvuR2(config)#intf1/0R2(config-if)#ipaddR2(config-if)#noshutR2(config-if)#exitR2(config)#intf0/0R2(config-if)#ipaddR2(config-if)#noshutR2(config-if)#exitR2(config)#routerospf1R2(config-router)#router-idR2(config-router)#net55a0R2(config-router)#net55a0R2(config-router)#exitR2(config)#inttunnel1R2(config-if)#ipvadd2002:0101:0101:2::1/64R2(config-if)#tunnelsourceR2(config-if)#tunnelmodeipv6ipisatapR2(config-if)#noipvndsuppress-raR2(config-if)#exitR2(config)#inttunnel2R2(config-if)#ipvadd2002:0101:0101::1/64R2(config-if)#tunnelsourceR2(config-if)#tunnelmodeipv6ip6to4R2(config-if)#exitR2(config)#ipvroute2002::/16tunnel2R2(config)#ipvroute::/02002:0101:0102:1::1R2(config)#exitR3的配置Router>enaRouter#conftRouter(config)#noipdomain-loRouter(config)#linec0Router(config-line)#exec-t0Router(config-line)#loggsRouter(config-line)#exitRouter(config)#hostR3R3(config)#ipvunicast-routingR3(config)#intf0/0R3(config-if)#ipaddR3(config-if)#noshutR3(config-if)#exitR3(config)#intlo1R3(config-if)#ipvadd3000::1/64R3(config-if)#noshutR3(config-if)#intlo2R3(config-if)#ipvadd2002:0101:0102:1::1/64R3(config-if)#noshutR3(config-if)#exitR3(config)#routerospf1R3(config-router)#router-idR3(config-router)#net55a0R3(config-router)#exitR3(config)#inttunnel2R3(config-if)#ipvadd2002:0101:0102::1/64R3(config-if)#tunnelsourceR3(config-if)#tunnelmodeipv6ip6to4R3(config-if)#exitR3(config)#ipvroute2002::/16tunnel2R3(config)#exit電腦的配置netshIntipvInatallIsatapSetrouteExit第一節(jié)GreVPNR-AF0:/24

/24

/24

F1：/24R-BF0:/24PC1:/24 PC2:/24一．按照以上拓?fù)湎劝丫W(wǎng)絡(luò)配置好，但不要設(shè)置路由。PC1PC2ping通二．路由器A上配置：1．R-A（config）#interface tunnel1 1的通道2．R-A（config-if）#ip address ip地址。3．R-A（config-if）tunnel source //設(shè)置創(chuàng)建通道使用的真實(shí)源地址。4．R-A（config-if）tunnel destination //設(shè)置創(chuàng)建通道使用的真實(shí)目的地址。5．R-A（config-if）tunnel mode greip gre6．R-A（config）#ip route //使用通道地址作為路由目標(biāo)地址。三．路由器B重復(fù)以上設(shè)置。四．測(cè)試，PC1PC2ping通。7．R-A（config-if）#tunnel key 123456 //給R-A設(shè)置通道key，PC1斷開PC2。8．R-B（config-if）#tunnel key 123456 //給R-B設(shè)置通道key，PC1連通PC2。9．R-A#debug tunnel1 tunnel通信信息，刷新很快，不容易停止，斷網(wǎng)后隔一段時(shí)間會(huì)停下來。10．R-A#show ip interface brief //顯示接口信息R-A#showipinterfacebrieftunnel1***********************Interface IP-Address OK?MethodStatus ProtocolTunnel1

YESmanualup up************************以上顯示配置隧道成功。路由器A配置

第二節(jié)IPSECVPN手工建立安全聯(lián)盟的配置11．R-A（config）#acces-list101permitip5555//用訪問列表定義要保護(hù)的通信12．R-A（config）#cryptoipsectransform-setyqeicesp-desesp-sha-hmac定義名為yqeic的變換集合13．R-A（config）#cryptomapmymap10ipsec-manual//加密映射將IPSec訪問列表和變換集合連接起來，并指定受保護(hù)的通信將發(fā)往何處.14．R-A(config-crypto-map)#matchaddress10115．R-A(config-crypto-map)#settransform-setyqeic16．R-A(config-crypto-map)#setsecurity-associationinboundesp301cipher0123456789abcdefauthenticator0000111122223333444455556666777788889999//手工創(chuàng)建認(rèn)證碼和通信密鑰17．R-A(config-crypto-map)#setsecurity-associationoutboundesp300cipher0123456789abcdefauthenticator555566667777888899990000111122223333444418．R-A(config-crypto-map)#setpeer20．R-A(config-crypto-map)#exit21．R-A(config)#interface fastethernet 122．R-A(config-if)#ipaddress23．R-A(config-if)#cryptomapyqedu//加密映射作用于接口24．R-A(config)#ip router B配置101 permit ip 5555 //用訪問列表定義要保護(hù)的通信26．R-B（config）#cryptoipsectransform-setyqeicesp-desesp-sha-hmac定義名為yqeic的變換集合10ipsec-manual //加密映射將IPSec訪問列表和變換集合連接起來，并指定受保護(hù)的通信將發(fā)往何處.28．R-B(config-crypto-map)#matchaddress10129．R-B(config-crypto-map)#set transform-set yqeic30．R-B(config-crypto-map)#setsecurity-associationoutboundesp301cipher0123456789abcdefauthenticator000011112222333344445555666677778888999931．R-B(config-crypto-map)#setsecurity-associationinboundesp300cipher0123456789abcdefauthenticator555566667777888899990000111122223333444433．R-B(config-crypto-map)#setpeer34．R-B(config-crypto-map)#exit35．R-B(config)#interface fastethernet 136．R-B(config-if）#ipaddress37．R-B(config-if）#crypto map yqedu //加密映射作用于接口38．R-B(config)#ip router 互相ping通，show crypto第三節(jié)IPSECVPN IKE建立安全聯(lián)盟的配置路由器A配置39．R-A(config)#cryptoisakmpenable ike功能40．R-A(config)#cryptoisakmpkeyprewordaddress配置預(yù)共享密鑰yqeic的變換集合42．R-A(config)#cryptomapyqedu2 5 ipsec-isakmp yqedu2的加密映射集43．R-A(config-crypto-map)#matchaddress10144．R-A(config-crypto-map)#set transform-set 45．R-A(config-crypto-map)#set peer 46．R-A(config)#interface fastethernet 147．R-A(config-if）#ipaddress48．R-A(config-if）#crypto map yqedu2 //加密映射作用于接口49．R-A(config)#ip router B配置39．R-B(config)#cryptoisakmpenable ike功能40．R-B(config)#cryptoisakmpkeyprewordaddress配置預(yù)共享密鑰//yqeic的變換集合42．R-B(config)#cryptomapyqedu2 5 ipsec-isakmp yqedu2的加密映射集43．R-B(config-crypto-map)#match address 10144．R-B(config-crypto-map)#set 45．R-B(config-crypto-map)#set peer 46．R-B(config)#interface fastethernet 147．R-B(config-if)#ipaddress48．R-B(config-if)#crypto map yqedu2 //加密映射作用于接口49．R-B(config)#ip router檢驗(yàn) showcryptoisakmpsadestination sourcestateconn-idlifetime(second) QM_IDLE33862693A4AF38E35D28C81 610FB1D642EE5201IKE安全聯(lián)盟RouterA#showcryptoipsecsaInterface:FastEthernet1Cryptomaptag：yqedu2,localaddr //目前的加密映射集名yqedu2，使用本地地址）mediamtu1500localident(addr/mask/prot/port):(/55/0/0))remoteident(addr/mask/prot/port):(/55/0/0))PERMIT //保護(hù)/24和/24之間的通信)current_peer //對(duì)方同位體地址為)#pktsencaps:3,#pktsencrypt:3,#pktsdigest3#pktsdecaps:3,#pktsdecrypt:3,#pktsverify3#senderrors0,#recverrors0包數(shù)，驗(yàn)證包數(shù)，發(fā)送錯(cuò)誤，接收錯(cuò)誤）inboundespsas:（進(jìn)入包處理的安全聯(lián)盟，協(xié)議為ESP）spi:0x43D3C74445127)（spi的值為4445127）transformesp-desesp-md5-hmac（變換集合為esp-des-md5）inusesettings={Tunnel,}（通道模式）satiming:remainingkeylifetime(k/sec):(4607999/3578)(離安全聯(lián)盟的生命周期到期還有：4607999千字節(jié)/3578秒)IVsize:8bytes（IV向量長(zhǎng)度為8）Replaydetectionsupport:Y（抗重播處理）outboundespsas:（外出包處理的安全聯(lián)盟，協(xié)議為ESP）（spi的值為275385850）transformesp-desesp-md5-hmac（變換集合為esp-des-md5）inusesettings={Tunnel,}（通道模式）satiming:remainingkeylifetime(k/sec):(4607999/3577)(離安全聯(lián)盟的生命周期到期還有：4607999千字節(jié)/3577秒)IVsize:8bytes（IV向量長(zhǎng)度為8）Replaydetectionsupport:Y（抗重播處理）從統(tǒng)計(jì)數(shù)據(jù)可以看出，IPSEC已經(jīng)建立起來并有數(shù)據(jù)報(bào)得到保護(hù)。GREOVERIPSECVPN1SA建立,policy,policy并使用之,1失敗49．R-A(config)#cryptoisakmpenable 50．R-A(config)#cryptoisakmppolicy1051．R-A(config-isakmp)#hashmd552．R-A(config-isakmp)#authenticationpre-share53．R-A(config-isakmp)#lifetime3600//50條，不寫其他條目則采用系統(tǒng)默認(rèn)值，如果寫入則要求兩臺(tái)路由器要完全一致。54．R-A(config-isakmp)#crypto isakmp key preword address配置預(yù)共享密鑰，由對(duì)端設(shè)備驗(yàn)證。55．R-A(config)#cryptoipsectransform-setyqeicesp-desesp-sha-hmac ,1SA來交換。56．R-A(config)#cryptomapyqedu3 10 ipsec-isakmp//定義密碼映射57．R-A(config-crypto-map)#setpeer58．R-A(config-crypto-map)#settransform-setyqeic59．R-A(config-crypto-map)matchaddress102 //這里注意引用了訪問列表102,這里對(duì)gre包進(jìn)行加密,而不是如上一篇所做的那樣是對(duì)內(nèi)網(wǎng)地址段,實(shí)際上是去往內(nèi)網(wǎng)2的數(shù)據(jù)包先被封裝到GRE包里,再?gòu)耐饩W(wǎng)接口出去,并被IPSEC加密60．R-A(config)#interface fastethernet 161．R-A(config-if)#ipaddress 62．R-A(config-if)#crypto map yqedu3 加密映射作用于接口63．R-A(config)#interfaceTunnel0 隧道接口64．R-A(config-if)#ipaddress 65．R-A(config-if)#tunnelsource66．R-A(config-if)#tunneldestination67．R-A(config-if)#tunnel mode gre ip68．R-A(config)#router ospf 100 ospf動(dòng)態(tài)路由協(xié)議69．R-A(config-router)#network55area0 可以傳路由協(xié)議,所以我們?cè)谒淼澜涌谏蠁⒂昧寺酚蓞f(xié)議70．R-B(config-router)#network55area171．R-A(config)#access-list102permitgrehosthost //這里的訪問列表我們定義了針對(duì)GREIPSEC加密B的設(shè)置71．R-B(config)#cryptoisakmppolicy1072．R-B(config-isakmp)#hashmd573．R-B(config-isakmp)#authenticationpre-share74．R-B(config-isakmp)#lifetime360074．R-B(config-isakmp)#crypto isakmp key preword address76．R-B(config)#cryptoipsectransform-setyqeicesp-desesp-sha-hmac77．R-B(config)#cryptomapyqedu3 10 ipsec-isakmp78．R-B(config-crypto-map)#setpeer89．R-B(config-crypto-map)#settransform-setyqeic80．R-B(config-crypto-map)#matchaddress10281．R-B(config)#interface fastethernet 182．R-B(config-if)#ipaddress 83．R-B(config-if)#crypto map yqedu3 //加密映射作用于接口84．R-B(config)#interfaceTunnel0 隧道接口85．R-B(config-if)#ipaddress 86．R-B(config-if)#tunnelsource87．R-B(config-if)#tunneldestination88．R-B(config-if)#tunnel mode gre ip89．R-B(config)#router ospf 100 ospf動(dòng)態(tài)路由協(xié)議90．R-B(config-router)#network55area0 可以傳路由協(xié)議,所以我們?cè)谒淼澜涌谏蠁⒂昧寺酚蓞f(xié)議91．R-B(config-router)#network55area19RBcong#accsst102petgehot2.2.22ost2.2.21 GREIPSEC加密測(cè)試過程***********************93．R-B#showinterfacestunnel1 顯示通道是否正常工作Tunnel1isup,lineprotocolisupHardwareisTunnelInternetaddressis/24MTU1500bytes,BW9Kbit,DLY500000usec,rely255/255,load1/255EncapsulationTUNNEL,loopbacknotset,keepaliveset(10sec)Tunnelsource,destinationTunnelprotocol/transportGRE/IP,keydisabled,sequencingdisabledChecksummingofpacketsdisabled, fasttunnelingenabledLastinput00:00:02,output00:00:00,outputhangneverLastclearingof"showinterface"countersneverQueueingstrategy:fifoOutputqueue0/0,0drops;inputqueue0/75,0drops5minuteinputrate0bits/sec,0packets/sec5minuteoutputrate0bits/sec,0packets/sec171packetsinput,13860bytes,0nobufferReceived0broadcasts0inputerrors,0CRC,0frame,0overrun,0ignored,0abort187packetsoutput,15218bytes,0underruns0outputerrors,0collisions,0interfaceresets0outputbufferfailures,0outputbuffersswappedout94．R-B#showiprouteospf ospf是否正常工作OIA/24110/11112]via,00:08:32Tunnel195．在計(jì)算機(jī)上，tracert對(duì)端計(jì)算機(jī)，檢查路由情況96．R-B#showcryptoisakmpsa ike工作狀態(tài)destination source state conn-id lifetime(second)

QM_IDLE 33

824693BB265E048053FF4 425B818E5D0FC11997．R-B#showcryptoipsecsa 工作狀態(tài)Interface:FastEthernet1Cryptomaptag:yqedu3,localaddrmediamtu1500local ident(addr/mask/prot/port):(//47/0))remote ident(addr/mask/prot/port):(//47/0))PERMITcurrentpeer:#pktsencaps:45,#pktsencrypt:45,#pktsdigest45#pktsdecaps:45,#pktsdecrypt:149,#pktsverify149#senderrors0,#recverrors47inboundespsas:spi:0x1403(5123)transform:esp-desesp-sha-hmacinusesettings={Tunnel,}cryptomapyqedu310satiming:remainingkeylifetime(k/sec):(4607976/2423)IVsize:8bytesReplaydetectionsupport:Youtboundespsas:spi:0xDB3(3507)transform:esp-desesp-sha-hmacinusesettings={Tunnel,}cryptomapyqedu310satiming:remainingkeylifetime(k/sec):(4607976/2423)IVsize:8bytesReplaydetectionsupport:YF1cryptipsecisakmp狀態(tài)進(jìn)行對(duì)比。會(huì)發(fā)現(xiàn)沒有9854步

第五節(jié) IPSEC OVER GREVPNR-A(config-isakmp)#crypto isakmp key preword address為9957步R-A(config-crypto-map)#setpeer 100．第62步移至第67步之后R-A(config-if)#crypto map 101．修改第71步R-A(config)#access-list102permitgrehosthostR-A(config)#access-list102permitip5555102.74步R-B(config-isakmp)#crypto isakmp key preword 10378步peer第83步移至第88步之后．R-B(config-if)#crypto map 105．修改第92步R-B(config)#access-list102permitgrehosthostR-B(config)#access-list102permitip5555測(cè)試過程同上一、實(shí)驗(yàn)組網(wǎng)圖如下：

IPv6實(shí)驗(yàn)：GRE隧道S1/0S1/0S1/0RT1 RT2E0/0E0/0Vlan1Vlan2PC1 PC2RT1的串口S1/0和RT2s1/0通過一對(duì)串口線相連，RT1E0/0和PC1連在交換機(jī)的Vlan1內(nèi)，RT2的E0/0和PC2連在交換機(jī)的Vlan2內(nèi)。路由器RT1上各接口地址如下：E0/0地址:1::1/64 S1/0地址：/24 RT1上創(chuàng)建隧道Tunnel0地址：3::1/64路由器RT2上各接口地址如下：E0/0地址:2::1/64 S1/0地址：/24 RT2上創(chuàng)建隧道Tunnel0地址：3::2/64計(jì)算機(jī)PC1的地址和缺省網(wǎng)關(guān)如下：PC1的地址：1::2 PC1的缺省網(wǎng)關(guān)：1::1計(jì)算機(jī)PC1的地址和缺省網(wǎng)關(guān)如下：PC2的地址：2::2 PC1的缺省網(wǎng)關(guān)：2::1要求建立GRE隧道使計(jì)算機(jī)PC1和PC2互通互連。二、實(shí)驗(yàn)步驟：1、按實(shí)驗(yàn)組網(wǎng)圖搭建實(shí)驗(yàn)環(huán)境。對(duì)交換機(jī)劃分vlan。關(guān)鍵命令如下：[Quidway]vlan2 (系統(tǒng)視圖下創(chuàng)建vlan2)[Quidway—vlan2]porte0/9toe0/18 918vlan2）2、分別指定計(jì)算機(jī)PC1和PC2的IPv6地址和缺省IPv6網(wǎng)關(guān)。我們以計(jì)算機(jī)PC1為例，PC1上采用windowsxp操作系統(tǒng)打開命令行窗口cmd”打開命令行窗口，在命令行內(nèi)執(zhí)行命令“ipv6 install”3P6nehesh下下執(zhí)行命令“interface”進(jìn)入到netsh interface>下在netshinterface>下執(zhí)行命令“ipv6”進(jìn)入到netsh interface ipv6>在netsh interface ipv6>下執(zhí)行命令“show 名稱為“本地連接”的接口代表計(jì)算機(jī)上的網(wǎng)5sowinterface”命令，顯示的結(jié)果可能不同。有時(shí)名稱為“本地連接”的接口代表計(jì)算機(jī)上的網(wǎng)卡，其索引可能為“4”或其他數(shù)值。在neshneacep6>ddaes512PC1p地址在netsh interface ipv6>下執(zhí)行命令“add route ::/0 5 機(jī)PC1配路由即該計(jì)算機(jī)的缺省IPv6網(wǎng)關(guān)根據(jù)相同步驟設(shè)置計(jì)算機(jī)PC2IPv6IPv6網(wǎng)關(guān)。3、設(shè)置路由器RT1、路由器RT2各接口的地址。先檢測(cè)路由器VRP3.3IPv63.4IPv6。a用戶視圖下執(zhí)行命令“displayversion”查看路由器VRP版本號(hào)。b如路由器版本號(hào)為34，用戶視圖下執(zhí)行命令“drp6.bn或ar28ipv6demo.bin”。VRP3.3IPv6實(shí)驗(yàn)必VRP3.3。c進(jìn)系視系視下執(zhí)命booe man ar28p6dmo.b“oe 設(shè)置路由器啟動(dòng)后運(yùn)行VRP3.3的ipv6.bin或ar28ipv6demo.binrebootVRP3.3將路由器上運(yùn)行的操作系統(tǒng)設(shè)定為VRP3.3后就可以進(jìn)行各個(gè)接口地址的配置了。路由器RT1IP地址的配置。關(guān)鍵命令如下：<Quidway>sys （由用戶視圖進(jìn)入系統(tǒng)視圖）[Quidway]sys RT1 RT1）[RT1]ipv6 （全局使能IPv6，使路由器轉(zhuǎn)發(fā)IPv6，否則不會(huì)轉(zhuǎn)發(fā)）[RT1]interfacee0/0 （進(jìn)入以太網(wǎng)接口視圖）[RT1—Ethenet0/0]ipv6 addr 1::1 64 e0/0IPv6地址）[RT1—Ethenet0/0]quit （退出以太網(wǎng)接口視圖，返回系統(tǒng)視圖）[RT1]interfaces1/0 （進(jìn)入串口視圖）[RT1—Serial1/0]ip addr 24 IPv4地址）[RT1—Serial1/0]quit （退出串口視圖，返回系統(tǒng)視圖）路由器RT2IP地址的配置。關(guān)鍵命令如下：<Quidway>sys （由用戶視圖進(jìn)入系統(tǒng)視圖）[Quidway]sys RT2 RT2）[RT2]ipv6 （全局使能IPv6，使路由器轉(zhuǎn)發(fā)IPv6，否則不會(huì)轉(zhuǎn)發(fā)）[RT2]interfacee0/0 （進(jìn)入以太網(wǎng)接口視圖）[RT2—Ethenet0/0]ipv6 addr 2::1 64 e0/0IPv6地址）[RT2—Ethenet0/0]quit （退出以太網(wǎng)接口視圖，返回系統(tǒng)視圖）[RT2]interfaces1/0 （進(jìn)入串口視圖）[RT2—Serial1/0]ip addr 24 IPv4地址）[RT2—Serial1/0]quit （退出串口視圖，返回系統(tǒng)視圖）4RT1RT2Tunnel0。RT1上創(chuàng)建GRE隧道Tunnel0，關(guān)鍵命令如下：[RT1]interface tunnel 0 （進(jìn)入隧道接口視圖）[RT1—Tunnel0]source （設(shè)置隧道的入口即隧道的起點(diǎn)）[RT1—Tunnel0]destination （設(shè)置隧道的出口即隧道的終點(diǎn)）[RT1—Tunnel0]tunnel—protocol gre（設(shè)置隧道協(xié)議）[RT1—Tunnel0]ipv6 addr 3::1 64 （設(shè)置隧道接口Tunnel0IPv6地址）[RT1—Tunnel0]quit （退出隧道口視圖，返回系統(tǒng)視圖）RT2上創(chuàng)建GRETunnel0，關(guān)鍵命令如下：[RT2]interface tunnel 0 （進(jìn)入隧道接口視圖）[RT2—Tunnel0]source （設(shè)置隧道的入口即隧道的起點(diǎn)）[RT2—Tunnel0]destination （設(shè)置隧道的出口即隧道的終點(diǎn)）[RT2—Tunnel0]tunnel—protocol gre（設(shè)置隧道協(xié)議）[RT2—Tunnel0]ipv6 addr 3::2 64 （設(shè)置隧道接口Tunnel0IPv6地址）[RT2—Tunnel0]quit （退出隧道口視圖，返回系統(tǒng)視圖）5、分別創(chuàng)建路由器RT1、路由器RT2上的靜態(tài)IPv6路由指導(dǎo)IPv6報(bào)文的發(fā)送[RT1]ipv6 route-static 2:: 64 tunnel0 2::/64的報(bào)文經(jīng)隧Tunnel0傳遞）[RT2]ipv6 route-static 1:: 64 tunnel0 1::/64的報(bào)文經(jīng)隧Tunnel0傳遞）三、測(cè)試，可在PC1的命令行窗口內(nèi)執(zhí)行命令“ping6 進(jìn)行測(cè)試，如能ping通，則證明GREGRE隧道可使計(jì)算機(jī)PC1和PC2互通互連。IPsecVPN配置大全(PDF版本見18樓)轉(zhuǎn)載請(qǐng)注明出處:紅頭發(fā)(akaCCIE#15101)PSKIPsecVPNIOSkR1R1(config)#interfaceloopback0R1(config-if)#ipaddressR1(config-if)#noshutdownR1(config-if)#interfaceserial0/0R1(config-if)#ipaddress 52R1(config-if)#clockrate56000R1(config-if)#noshutdownR1(config-if)#exit定義感興趣流量與路由協(xié)議:R1(config)#access-list100permitip5555R1(config)#iprouteserial0/0PSK(預(yù)共享密鑰):R1(config)#cryptoisakmpenableR1(config)#cryptoisakmpkey91labaddressIKER1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryptionaes128 加密/R1(config-isakmp)#hashsha 默認(rèn)是SHA-1/R1(config-isakmp)#authenticationpre-shareR1(config-isakmp)#group2 768DH1/R1(config-isakmp)#lifetime3600 R1(config-isakmp)#exit(transformset):R1(config)#cryptoipsectransform-setttesp-aes128esp-sha-hmacR1(cfg-crypto-trans)#modetunnelR1(cfg-crypto-trans)#exitcryptomapR1(config)#cryptomapcisco10ipsec-isakmpR1(config-crypto-map)#matchaddress100peer map等體地址/R1(config-crypto-map)#settransform-settt cryptomapIPsecR1(config-crypto-map)#exitR1(config)#interfaceserial0/0R1(config-if)#cryptomapcisco*Mar 100:08:31.131:%CRYPTO-6-ISAKMP_ON_OFF:ISAKMPisONR1(config-if)#endR1#R2!!cryptoisakmppolicy10encraesauthenticationpre-sharegroup2cryptoisakmpkey91labaddress!!cryptoipsectransform-setttesp-aesesp-sha-hmac!cryptomapcisco10ipsec-isakmpsetpeersettransform-setttmatchaddress100!!!!interfaceLoopback0ipaddress!interfaceSerial0/0ipaddress52cryptomapcisco!iprouteSerial0/0!access-list100permitip5555PSKIPsecVPNR1R1(config)#interfaceloopback0R1(config-if)#ipaddressR1(config-if)#noshutdownR1(config-if)#interfaceserial0/0R1(config-if)#ipaddress 52R1(config-if)#clockrate56000R1(config-if)#noshutdownR1(config-if)#exit定義感興趣流量與路由協(xié)議:R1(config)#access-list100permitip5555R1(config)#iprouteserial0/0PSK(預(yù)共享密鑰),采用積極模式:R1(config)#cryptoisakmpenableR1(config)#cryptoisakmppeeraddressR1(config-isakmp-peer)#set aggressive-mode R1(config-isakmp-peer)#setaggressive-modepassword91labIKER1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryptionaes128

ipv4-addressR1(config-isakmp)#hashsha R1(config-isakmp)#authenticationpre-shareR1(config-isakmp)#group2 76