本文详细介绍了一种复杂的Cisco路由器配置案例,涉及多个虚拟路由转发实例(VRF),并探讨了如何配置GRE隧道、MPLS标签交换路径(LSP)、BGP及OSPF路由协议等。此外,还讨论了在特定配置下遇到的问题,例如使用备份线路时无法访问Internet的原因。
http://www.51chongdian.net/bbs/viewthread.php?tid=18105&extra=page%3D1&frombbs=1
route-target export 65021:7357
route-target import 65021:1007
我们现在与上级公司是2M光纤为主线路,2MADSL链路为备份链路,INTERNET出口在上级公司,因工作的需要,我们要在路由器上开启VPN与HTTP、FTP服务,设想从ADSL口作NAT设置,但不知道怎么配置,请大家指点指点。
还有就是使用如下配置后,在用主链路时都正常,但如果使用备份线路时,就只能连到上级公司,不能上INTERNET,不知道是否正常?
Cisco2691配置清单
2691-1#sh run
Building configuration...
Current configuration : 7023 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2691-1
!
boot-start-marker
boot-end-marker
!
enable secret level
enable password
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip vrf caiwu
rd 65021:7352
route-target export 65021:7352
route-target import 65021:7352
route-target import 65021:1002
route-target import 65021:7357
route-target import 65021:7358
route-target import 65021:1007
!
ip vrf fuwuqi
rd 65021:7357
route-target export 65021:7357
route-target import 65021:1007
route-target import 65021:7357
route-target import 65021:7351
route-target import 65021:7352
route-target import 65021:7353
route-target import 65021:7354
route-target import 65021:7358
!
ip vrf lingdao
rd 65021:7358
route-target export 65021:7358
route-target import 65021:1008
route-target import 65021:7358
route-target import 65021:7351
route-target import 65021:7352
route-target import 65021:7353
route-target import 65021:7354
route-target import 65021:1007
route-target import 65021:7357
!
ip vrf qita
rd 65021:7354
route-target export 65021:7354
route-target import 65021:7354
route-target import 65021:1004
route-target import 65021:7357
route-target import 65021:7358
route-target import 65021:1007
!
ip vrf shipin
rd 65021:1005
route-target export 65021:1005
route-target import 65021:1005
route-target import 65021:1007
!
ip vrf wangguan
rd 65021:1006
route-target export 65021:1006
route-target import 65021:1006
route-target import 65021:1007
route-target import 65021:7357
!
ip vrf yanye
rd 65021:7353
route-target export 65021:7353
route-target import 65021:7353
route-target import 65021:1003
route-target import 65021:7357
route-target import 65021:7358
route-target import 65021:1007
!
ip vrf yingxiao
rd 65021:7351
route-target export 65021:7351
route-target import 65021:7351
route-target import 65021:1001
route-target import 65021:7357
route-target import 65021:7358
route-target import 65021:1007
!
ip audit po max-events 100
mpls label protocol ldp
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp enable
!
!
!
!
interface Tunnel0
ip address 10.74.191.74 255.255.255.252
tag-switching mtu 1520
tag-switching ip
tunnel source FastEthernet0/0
tunnel destination 222.242.*.*(上级公司IP)
!
interface Loopback0
ip address 10.72.61.102 255.255.255.255
!
interface FastEthernet0/0
description connect to ADSL modem
ip address 222.242.*.* 255.255.*.*(电信提供的固定IP只有一个)
duplex auto
speed auto
!
interface FastEthernet0/1
description connect to LAN
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
description connect to yingxiao vlan
encapsulation dot1Q 10
ip vrf forwarding yingxiao
ip address 10.74.171.126 255.255.255.128
!
interface FastEthernet0/1.20
description connect to caiwu vlan
encapsulation dot1Q 20
ip vrf forwarding caiwu
ip address 10.74.171.190 255.255.255.192
!
interface FastEthernet0/1.30
description connect to yanye vlan
encapsulation dot1Q 30
ip vrf forwarding yanye
ip address 10.74.171.254 255.255.255.192
!
interface FastEthernet0/1.40
description connect to qita vlan
encapsulation dot1Q 40
ip vrf forwarding qita
ip address 10.74.172.126 255.255.255.128
!
interface FastEthernet0/1.50
description connect to shipin vlan
encapsulation dot1Q 50
ip vrf forwarding shipin
ip address 10.74.172.222 255.255.255.224
!
interface FastEthernet0/1.60
description connect to wangguan vlan
encapsulation dot1Q 60
ip vrf forwarding wangguan
ip address 10.74.172.190 255.255.255.224
!
interface FastEthernet0/1.70
description connect to fuwuqi vlan
encapsulation dot1Q 70
ip vrf forwarding fuwuqi
ip address 10.74.172.158 255.255.255.224
!
interface FastEthernet0/1.80
description connect to lingdao vlan
encapsulation dot1Q 80
ip vrf forwarding lingdao
ip address 10.74.172.254 255.255.255.224
!
interface FastEthernet0/1.208
encapsulation dot1Q 208
ip address 10.74.191.6 255.255.255.252
ip ospf network point-to-point
mpls label protocol ldp
tag-switching mtu 1520
tag-switching ip
!
interface Dialer1
no ip address
shutdown
!
router ospf 100
log-adjacency-changes
network 10.72.61.102 0.0.0.0 area 735
network 10.74.191.6 0.0.0.0 area 735
network 10.74.191.74 0.0.0.0 area 735
!
router bgp 65021
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.72.61.97 remote-as 65021
neighbor 10.72.61.97 update-source Loopback0
neighbor 10.72.61.98 remote-as 65021
neighbor 10.72.61.98 update-source Loopback0
!
address-family vpnv4
neighbor 10.72.61.97 activate
neighbor 10.72.61.97 route-reflector-client
neighbor 10.72.61.97 send-community both
neighbor 10.72.61.98 activate
neighbor 10.72.61.98 route-reflector-client
neighbor 10.72.61.98 send-community both
exit-address-family
!
address-family ipv4 vrf yingxiao
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf yanye
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf wangguan
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf shipin
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf qita
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf lingdao
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf fuwuqi
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf caiwu
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless
ip route 0.0.0.0 0.0.0.0 222.242.129.161
ip route 10.74.171.0 255.255.255.128 FastEthernet0/1.10
ip route 10.74.171.128 255.255.255.192 FastEthernet0/1.20
ip route 10.74.171.192 255.255.255.192 FastEthernet0/1.30
ip route 10.74.172.0 255.255.255.128 FastEthernet0/1.40
ip route 10.74.172.128 255.255.255.224 FastEthernet0/1.70
ip route 10.74.172.160 255.255.255.224 FastEthernet0/1.60
ip route 10.74.172.192 255.255.255.224 FastEthernet0/1.50
ip route 10.74.172.224 255.255.255.224 FastEthernet0/1.80
!
ip http server
no ip http secure-server
!
!
snmp-server community yancao RO
snmp-server community tuowei RW
snmp-server enable traps tty
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
privilege exec level 7 show ip route
privilege exec level 7 show ip
privilege exec level 7 show interfaces
privilege exec level 7 show running-config
privilege exec level 7 show
!
line con 0
line aux 0
line vty 0 4
password
login
!
!
end
但是这个配置有问题,接口配置的有点乱,并且不完整。
所有到总部的数据都经过了GRE封装,然后经过MPLS封装,里面才是真实的IP头部。
总部的路由是IGP路由通过GRE建立,再通过IGP建立BGP。
比如说你本地10.1.1.1 和总部的10.2.1.1通讯的时候,因为目的路由从隧道口到达,所以加上包头源地址本地公有地址,以及目的地址是总公司的公有地址,隧道上运行了MPLS,这个时候又打上标签。通过MPLS传输。
只有到总公司的路由经过了隧道。所以后面的VPN不过是在原来的包头加上一层IPSEC报头。
GRE报头--MPLS报头--IPSEC报头--真实数据报头
至于HTTP服务,也分内网的HTTP和外网的HTTP,总部和分支机构通讯的时候都走GRE,这个时候不需要NAT,就像你现在这样通讯一样,私有地址通讯没有用NAT。外网HTTP,没有走隧道,这个时候和隧道没有关系,按照正常来处理nat.做端口映射。
现在能访问internet ,从这个配置看,是访问不了,除非是总部提供的。没有一个VRF的缺省路由到达internet,从vrf中的路由缺省的情况下找不到全局路由表的internet路由。
扫一扫
1023
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
