Spring中的aware接口详情
326
2022-09-17
ensp模拟ospf+gre+ipsec实现加密、高可用的业务数据传输
背景:1、图中R3\R4的左侧是客户甲(某行)内部网络,R5的右侧是客户乙(某监管局)内部网络。该拓扑模拟实现客户甲、乙间业务数据加密传输,以及高可用。
2、R3\R4到R5分别采用电信和移动的运营商专线线路,再基于ipsec\gre\ospf,实现数据加密和路径备份,路径的优先级从高到低依次是电信加密隧道---移动加密隧道---电信专线---移动专线。
思路: 1、R1\R2分别配置vrrp id和virtual ip,通过优先值区分主备,客户默认R1优先级;
2、R3\R4的路由器和R5路由器在ospf同一个域。R5在ospf的area内宣告2条gre tunnel、与R3\R4互联的地址,并分配不同的优先值;R3\R4在ospf的area内宣告1条gre tunnel、与R5互联的地址、到另一台中间路由器的地址。
3、R1\R2路由器到R3\R4路由器的直连路由,通过路由引入或者重分发,被R5学习到。
4、R3\R4分别探测2.1.1.2和2.1.1.3,实现路径切换。
5、ospf在底层,基于gre隧道建立,gre基于ipsec建立,ipsec基于公网地址建立,实现数据经过esp封装。
配置:1、R1:
interface GigabitEthernet0/0/0
ip address 35.66.6.1 255.255.255.252
interface GigabitEthernet0/0/1
ip address 2.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 2.1.1.254
vrrp vrid 1 priority 140
ip route-static 0.0.0.0 0.0.0.0 35.66.6.2
ip route-static 10.88.66.0 255.255.255.0 2.1.1.1
2、R2:
interface GigabitEthernet0/0/0
ip address 2.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 2.1.1.254
interface GigabitEthernet0/0/1
ip address 35.66.6.5 255.255.255.252
ip route-static 0.0.0.0 0.0.0.0 35.66.6.6
ip route-static 10.88.66.0 255.255.255.0 2.1.1.1
3、R3:
acl number 3000 rule 15 permit ip source 10.88.66.0 0.0.0.255 destination 11.1.1.0 0.0.0.255
ipsec proposal aa
ike peer bb v2
pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
ipsec profile cc
ike-peer bb
proposal aa
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type GigabitEthernet0/0/0
ip address 35.66.6.2 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 10.254.31.209 255.255.255.252
ospf cost 50
interface GigabitEthernet0/0/2
ip address 192.168.1.9 255.255.255.252
interface Tunnel0/0/0
description test
ip address 50.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.254.31.209
destination 10.254.31.210
ospf cost 1
ipsec profile cc
ospf 1 router-id 1.1.1.1
import-route static
area 0.0.0.0
network 10.254.31.208 0.0.0.3
network 35.66.6.0 0.0.0.3
network 50.1.1.0 0.0.0.255
network 192.168.1.8 0.0.0.3
ip route-static 2.1.1.2 255.255.255.255 35.66.6.1
ip route-static 10.88.66.0 255.255.255.0 35.66.6.1 track nqa a b
nqa test-instance a b
test-type icmp
destination-address ipv4 2.1.1.2
frequency 3
start now
4、R4类似
5、R5:
隧道部分不再显示
interface GigabitEthernet0/0/0
ip address 10.254.31.210 255.255.255.252
ospf cost 50
interface GigabitEthernet0/0/1
ip address 10.254.31.214 255.255.255.252
ospf cost 60
interface GigabitEthernet0/0/2
ip address 11.1.1.1 255.255.255.0
interface LoopBack0
ip address 3.3.3.3 255.255.255.0
interface Tunnel0/0/0
ip address 50.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.254.31.210
destination 10.254.31.209
ospf cost 1
ipsec profile cc
interface Tunnel0/0/2
ip address 50.2.1.2 255.255.255.0
tunnel-protocol gre
source 10.254.31.214
destination 10.254.31.213
ospf cost 10
ipsec profile ff
ospf 1
import-route direct
import-route static
area 0.0.0.0
network 10.254.31.208 0.0.0.3
network 10.254.31.212 0.0.0.3
network 11.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
network 50.2.1.0 0.0.0.255
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~