skyyue

    在MPLS-VPN中  R1 R5分别为CE-1 CE-2  R2 R3  R4为MPLS核心网




一.配置分解
1.基本配置
R1 为CE-1 VPNA 客户
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point
!        
interface Serial1/0
 ip address 12.1.1.1 255.255.255.0
!
router ospf 2
 log-adjacency-changes
 network 1.1.1.0 0.0.0.255 area 0
 network 12.1.1.0 0.0.0.255 area 0
//我们在两个VPN客户之间运行动态路由协议OSPF 可以加快网络的收敛和网络安全可靠
R5为CE-2 VPNA 客户
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
 ip ospf network point-to-point
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 ip address 45.1.1.5 255.255.255.0
!
router ospf 2
 network 5.5.5.0 0.0.0.255 area 0
 network 45.1.1.0 0.0.0.255 area 0
R2 为PE-1 MPLS-VPN 核心网边缘接入设备
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
 ip address 12.1.1.2 255.255.255.0
!
interface Serial1/1
 ip address 23.1.1.2 255.255.255.0
!
router ospf 1
 router-id 2.2.2.2
 network 2.2.2.0 0.0.0.255 area 0
 network 23.1.1.0 0.0.0.255 area 0
R4 为PE-2 MPLS-VPN 核心网边缘接入设备
nterface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface Serial1/0
 ip address 34.1.1.4 255.255.255.0
!
interface Serial1/1
 ip address 45.1.1.4 255.255.255.0
router ospf 1
 router-id 4.4.4.4
 network 4.4.4.0 0.0.0.255 area 0
 network 34.1.1.0 0.0.0.255 area 0
R3 为P MPLS-VPN 核心设备
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!        
interface Serial1/0
 ip address 34.1.1.3 255.255.255.0
!
interface Serial1/1
 ip address 23.1.1.3 255.255.255.0
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.0 0.0.0.255 area 0
 network 23.1.1.0 0.0.0.255 area 0
 network 34.1.1.0 0.0.0.255 area 0
//MPLS 核心运行OSPF协议,在MPLS IP 城区域网中,也可以采用IS-IS协议.因为IS-IS网络具有更好的可扩展性
 
2.MPLS网络配置
  因为R2-R3-R4为MPLS网络,所以要在他们上启用MPLS IP.并且只能在属于MPLS IP接口上启用MPLS IP
R2上配置
ip cef
int s1/1
mpls label protocol ldp
mpls ip  启用MPLS
//mpls label pro LDP | TDP | both
LDP 是国际标准,现在用的最广  TDP 是CISCO私有协议 BOTH 表示在MPLS网络可以支持两种协议
R3上配置
ip cef
int s1/1
mpls label protocol ldp
mpls ip
int s1/0
mpls label protocol ldp
mpls ip
R4上配置
int s1/0
mpls label protocol ldp
mpls ip
R3#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop   
tag    tag or VC   or Tunnel Id      switched   interface             
18     Pop tag     2.2.2.0/24        4680       Se1/1      point2point 
19     Pop tag     4.4.4.0/24        5475       Se1/0      point2point
//P上基于label 转发,因为23.1.1.0/24 与34.1.1.0/24是直连的网络,所以不会打上label,如果是/32的位主机路由,这不会打上tag ,所在要在R2与R4 的环回口使用 ip os network point-to-point

R2#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop   
tag    tag or VC   or Tunnel Id      switched   interface             
16     Pop tag     34.1.1.0/24       0          Se1/1      point2point 
17     Untagged    1.1.1.0/24[V]     2080       Se1/0      point2point 
18     Aggregate   12.1.1.0/24[V]    0                                 
19     Pop tag     3.3.3.0/24        0          Se1/1      point2point 
20     19          4.4.4.0/24        0          Se1/1      point2point 
//这是我们整个方案配置完后,R2上MPLS IP转发表,我们的FLIB 是根据FIB+LIB生成的.
配置完成后,我们可以看到MPLS 邻居
R2#sh mpls ldp nei
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 3.3.3.3.30806 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 93/92; Downstream
        Up time: 01:03:43
        LDP discovery sources:
          Serial1/1, Src IP addr: 23.1.1.3
        Addresses bound to peer LDP Ident:
          34.1.1.3        23.1.1.3        3.3.3.3
//从上可以看是基于TCP连接 本地端口646

3.配置PE-1与PE-2的BGP
R2上配置
router bgp 1
bgp router-id 2.2.2.2
nei 4.4.4.4 remot 1
nei 4.4.4.4 updata lo0
R4上配置
router bgp 1
 bgp router-id 4.4.4.4
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
//建立BGP对等体 采用环回口作为更新源
配置完成后,查看BGP邻居是否建立成功    
R2#sh ip bgp nei
BGP neighbor is 4.4.4.4,  remote AS 1, internal link
  BGP version 4, remote router ID 4.4.4.4
  BGP state = Established, up for 01:01:55
  Last read 00:00:04, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(old & new)
    Address family IPv4 Unicast: advertised and received
4.在BGP路由上,支持MP-BGP协议,因为BGP默认支持IPV4-uncast .我们让其支持VPNV4 地址
R2上配置
router bgp 1
no bgp default ipv4-unicast
address-family vpnv4
neighbor 4.4.4.4 activate
R4上配置
router bgp 1
no bgp default ipv4-unicast
address-family vpnv4
neighbor 2.2.2.2 activate
配置完成后,我们用show ip bgp nei 查看
R2#sh ip bgp nei
BGP neighbor is 4.4.4.4,  remote AS 1, internal link
  BGP version 4, remote router ID 4.4.4.4
  BGP state = Established, up for 01:01:55
  Last read 00:00:04, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(old & new)
    Address family IPv4 Unicast: advertised and received
    Address family VPNv4 Unicast: advertised and received
//从上面红色字体看出,能接受与发送VPNv4地址
 
5.在PE-1和PE-2上建立VPN的路由转发表,即ip vrf
R2和R4上配置
ip vrf vpna
 rd 1:100
 route-target export 1:100
 route-target import 1:100
//rd 是为来区分不同VPN客户之间使用相同私有地址时用到的. route-target export | import 是当两个
不同的VPN客户之间要通信时,将不同VPNA的转发表导出或导入.
将PE-1 与 PE-2对应的接口IP放到VRF转发表中

R2 与R4的配置
router os 2 vrf vpna
net 12.1.1.0 255.255.255.0 a 0
router os 2 vrf vpna
net 45.1.1.0 255.255.255.0 a 0
将转发表应用到VPN用户接放端口上
R2 与 R4 分别是S1/0 S1/1
int s/0 s1/0
ip vrf forwarding vpna
需要接口重新配置IP 地址
 
6.将MP-BGP 与 ip vrf forwarding 路由表之间进行重分布,VRF信息是通过MP-BGP在MPLS 核心网上传输的
R2和R4上配置
router os 2 vrf vpna
 redistribute bgp 1 metric 10 subnets
router bgp 1
address-family ipv4 vrf vpna
redistribute ospf 2 metric 10
配置完成后,在R1与R5上用shwo ip route
R1#sh ip rou
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     5.0.0.0/24 is subnetted, 1 subnets
O IA    5.5.5.0 [110/74] via 12.1.1.2, 01:12:29, Serial1/0
     12.0.0.0/24 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, Serial1/0
     45.0.0.0/24 is subnetted, 1 subnets
O IA    45.1.1.0 [110/74] via 12.1.1.2, 01:12:29, Serial1/0
//成功学到了对端VPNA的路由信息 
R2#sh ip rou vrf vpna
     1.0.0.0/24 is subnetted, 1 subnets
O       1.1.1.0 [110/65] via 12.1.1.1, 01:16:21, Serial1/0
     5.0.0.0/24 is subnetted, 1 subnets
B       5.5.5.0 [200/10] via 4.4.4.4, 01:09:23
     12.0.0.0/24 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, Serial1/0
     45.0.0.0/24 is subnetted, 1 subnets
B       45.1.1.0 [200/0] via 4.4.4.4, 01:13:16
//可以看出VRF是通过BGP传输的
R2#ping vrf vpna 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 288/592/1476 ms

R1#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 288/572/1312 ms
//OK,两个VPN客户之间能PING 通

二.完整配置
R1#sh run
Building configuration...
Current configuration : 1020 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!        
interface Serial1/0
 ip address 12.1.1.1 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 2
 log-adjacency-changes
 network 1.1.1.0 0.0.0.255 area 0
 network 12.1.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
no ip http secure-server

gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
 
R2#sh run
Building configuration...
Current configuration : 1816 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip vrf vpna
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!        
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
 ip ospf network point-to-point
!        
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip vrf forwarding vpna
 ip address 12.1.1.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 23.1.1.2 255.255.255.0
 mpls label protocol ldp
 tag-switching ip
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.0 0.0.0.255 area 0
 network 23.1.1.0 0.0.0.255 area 0
!
router ospf 2 vrf vpna
 log-adjacency-changes
 redistribute bgp 1 metric 10 subnets
 network 12.1.1.0 0.0.0.255 area 0
!
router bgp 1
 bgp router-id 2.2.2.2
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 1
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
 neighbor 4.4.4.4 activate
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family vpnv4
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vpna
 redistribute ospf 2
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
 
R3#sh run
Building configuration...
Current configuration : 1170 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!        
interface Serial1/0
 ip address 34.1.1.3 255.255.255.0
 mpls label protocol ldp
 tag-switching ip
 serial restart-delay 0
!
interface Serial1/1
 ip address 23.1.1.3 255.255.255.0
 mpls label protocol ldp
 tag-switching ip
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.0 0.0.0.255 area 0
 network 23.1.1.0 0.0.0.255 area 0
 network 34.1.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
 
R4#sh run
Building configuration...
Current configuration : 1826 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip vrf vpna
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!        
ip cef
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
 ip ospf network point-to-point
!        
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 34.1.1.4 255.255.255.0
 mpls label protocol ldp
 tag-switching ip
 serial restart-delay 0
!
interface Serial1/1
 ip vrf forwarding vpna
 ip address 45.1.1.4 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.0 0.0.0.255 area 0
 network 34.1.1.0 0.0.0.255 area 0
!
router ospf 2 vrf vpna
 log-adjacency-changes
 redistribute bgp 1 metric 10 subnets
 network 45.1.1.0 0.0.0.255 area 0
!
router bgp 1
 bgp router-id 4.4.4.4
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family ipv4
 neighbor 2.2.2.2 activate
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family vpnv4
 neighbor 2.2.2.2 activate
 neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vpna
 redistribute ospf 2 metric 10
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
end
 
R5(config-if)#end
R5#sh run
Building configuration...
*Jun 24 15:40:05.831: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1020 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5[/img]..

  
 
 
DHCP Request for an IP Address from a DHCP Server
主机获取IP address的过程，我们可以 debug ip packet.






Note

    实验目的是对NAT的应用，关于NAT的应用有如：（1）内部网络通过一个或者几个公网IP上网（2）外部网络访问虚拟的服务器地址，上面的实验就是讲这部分内容   （3）当网络合并时，两个内部网络都是私有地址或者是相册的地址的私有网络时，也要用到NAT。
参考：[url]http://skyyue.bokee.com/viewdiary.16146437.html[/url]
一。拓朴介绍
    通过R3访问R1上的V-server:1.1.1.127虚拟服务器地址，对应真实的服务器地址为：1.1.1.1  1.1.1.2  1.1.1.3





二。基本配置：
R1：
int s1/0
ip add 12.1.1.1 255.255.255.0 
lo 0
ip add 1.1.1.1 255.255.255.0
ip add 1.1.1.2 255.255.255.0 se
ip add 1.1.1.3 255.255.255.0 se
ho R1
router ospf 1
router-id 1.1.1.1
net 1.1.1.0 255.255.255.0 a 0
net 12.1.1.0 255.255.255.0 a 0
 

R2
int s1/0
ip add 12.1.1.2 255.255.255.0
ip nat in
int s1/1
ip add 23.1.1.2 255.255.255.0
ip nat out
ho R2
router ospf 1
router-id 2.2.2.2
net 2.2.2.0 255.255.255.0 a 0
net 12.1.1.0 255.255.255.0 a 0
net 23.1.1.0 255.255.255.0 a 0
ip nat pool toser 1.1.1.1 1.1.1.3 netmask 255.255.255.0 type rotary
ip nat inside destination list 1 pool toser
access-list 1 permit 1.1.1.127
//分析：因为从R3登陆过来的请求时：目的IP ：1.1.1.127 源IP为：23.1.1.3,所以我们要把对目的IP进行转换，即用到ip nat inside desstination
 
R3
int s1/0
ip add 23.1.1.3 255.255.255.0
ho R3
router ospf 1
router-id 3.3.3.3
net 3.3.3.0 255.255.255.0 a 0
net 23.1.1.0 255.255.255.0 a 0
 
 
三。监视和配置测试配置
1。在R2上配置ip nat 时使产生信息
R2(config)#ip nat inside destination list 1 pool toser ?
R2(config)#ip nat inside destination list 1 pool toser
% Pool toser is not a rotary-type pool, unexpected behavior may result.
//我们现在的地址池没有使用type rotary，即轮流分配机制，可能会发生问题
*Jun 20 00:26:54.191: ipnat_add_dynamic_cfg_common: id 2, flag 5, range 1
//从上面可以看出，我们采用动态NAT分配
*Jun 20 00:26:54.191: id 2, flags 0, domain 0, lookup 1, aclnum 1, aclname 1, mapname  idb 0x00000000
//ID 2 我们使用到了ACLnum 1 aclname 1 没有route-map.
*Jun 20 00:26:54.195: poolstart 1.1.1.1   poolend 1.1.1.3
//地址池从1.1.1.1 ----1.1.1.3
R2(config)#ip nat inside destination list 1 pool toser  ?
R2(config)#                                            
R2(config)#ip nat pool toser 1.1.1.1 1.1.1.3 netmask 255.255.255.0 ?
  type  Specify the pool type
  <cr>
R2(config)#ip nat pool toser 1.1.1.1 1.1.1.3 netmask 255.255.255.0 type ?
  match-host  Keep host numbers the same after translation
  rotary      Rotary address pool
//存在两种方式，一种是基于Host 二种是采用轮流机制
R2(config)#$ toser 1.1.1.1 1.1.1.3 netmask 255.255.255.0 type rotary
R2(config)#
*Jun 20 00:28:24.235: ipnat_addrpool_notify_api: id 2, flags 11, range 0
*Jun 20 00:28:24.235: ipnat_addrpool_notify_api: id 2, flags 11, range 1

 
2。当R3 多次telnet 1.1.1.127时，R2采用轮流分配
*Jun 20 00:35:14.951: NAT: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [0]
*Jun 20 00:35:15.167: NAT*: s=1.1.1.2->1.1.1.127, d=23.1.1.3 [0]
*Jun 20 00:35:15.359: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [1]
*Jun 20 00:35:15.359: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [2]
*Jun 20 00:35:15.383: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [3]
*Jun 20 00:35:15.455: NAT*: s=1.1.1.2->1.1.1.127, d=23.1.1.3 [1]
*Jun 20 00:35:15.527: NAT*: s=1.1.1.2->1.1.1.127, d=23.1.1.3 [2]
R2(config)#
*Jun 20 00:35:15.599: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [6]
R2(config)#
*Jun 20 00:35:22.919: NAT: expiring 1.1.1.127 (1.1.1.1) tcp 23 (23)
*Jun 20 00:35:23.111: NAT: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [0]
*Jun 20 00:35:23.207: NAT*: s=1.1.1.3->1.1.1.127, d=23.1.1.3 [0]
*Jun 20 00:35:23.351: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [1]
*Jun 20 00:35:23.351: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [2]
*Jun 20 00:35:23.423: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [3]
*Jun 20 00:35:23.567: NAT*: s=1.1.1.3->1.1.1.127, d=23.1.1.3 [1]
*Jun 20 00:35:23.663: NAT*: s=1.1.1.3->1.1.1.127, d=23.1.1.3 [2]
*Jun 20 00:35:23.735: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [4]
*Jun 20 00:35:23.735: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [5]
R2(config)#
*Jun 20 00:35:23.759: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [6]
*Jun 20 00:35:23.855: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [7]
*Jun 20 00:35:24.047: NAT*: s=1.1.1.3->1.1.1.127, d=23.1.1.3 [3]
R2(config)#
*Jun 20 00:35:25.611: NAT: s=1.1.1.3->1.1.1.127, d=23.1.1.3 [4]
*Jun 20 00:35:25.831: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [8]
*Jun 20 00:35:25.855: NAT: s=23.1.1.3, d=1.1.1.127->1.1.1.3 [9]
*Jun 20 00:35:25.903: NAT*: s=1.1.1.3->1.1.1.127, d=23.1.1.3 [5]
R2(config)#
*Jun 20 00:35:36.231: NAT: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [0]
*Jun 20 00:35:36.455: NAT*: s=1.1.1.1->1.1.1.127, d=23.1.1.3 [0]
*Jun 20 00:35:36.783: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [1]
*Jun 20 00:35:36.807: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [2]
*Jun 20 00:35:36.831: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [3]
*Jun 20 00:35:36.855: NAT*: s=1.1.1.1->1.1.1.127, d=23.1.1.3 [1]
*Jun 20 00:35:36.951: NAT*: s=1.1.1.1->1.1.1.127, d=23.1.1.3 [2]
*Jun 20 00:35:36.951: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [4]
*Jun 20 00:35:36.955: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [5]
*Jun 20 00:35:36.955: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.1 [6]

*Jun 20 00:35:44.695: NAT: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [0]
*Jun 20 00:35:44.887: NAT*: s=1.1.1.2->1.1.1.127, d=23.1.1.3 [0]
*Jun 20 00:35:44.983: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [1]
*Jun 20 00:35:44.983: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [2]
*Jun 20 00:35:45.055: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [3]
*Jun 20 00:35:45.127: NAT*: s=1.1.1.2->1.1.1.127, d=23.1.1.3 [1]
*Jun 20 00:35:45.179: NAT*: s=1.1.1.2->1.1.1.127, d=23.1.1.3 [2]
*Jun 20 00:35:45.319: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [4]
*Jun 20 00:35:45.319: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [5]
*Jun 20 00:35:45.323: NAT*: s=23.1.1.3, d=1.1.1.127->1.1.1.2 [6]
//从红色的显示部分可以看出，内部的地址采用轮流分配的原则
//主要是ip nat pool toser 1.1.1.1 1.1.1.3 netmask 255.255.255.0 type rotary命令中的type rotary 的作用
 
3。在R3 telnet 1.1.1.127时，R2上的NAT 映射表
R3#telnet 1.1.1.127
Trying 1.1.1.127 ... Open
Password required, but none set
[Connection to 1.1.1.127 closed by foreign host]
查看R2上的NAT 转换
R2(config)#do sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
tcp 1.1.1.127:23       1.1.1.3:23         23.1.1.3:18003     23.1.1.3:18003
//可以看出是基于TCP的连接
R1(config-if)#
*Jun 20 00:48:29.999: IP: tableid=0, s=23.1.1.3 (Serial1/0), d=1.1.1.2 (Loopback0), routed via RIB
*Jun 20 00:48:30.003: IP: s=23.1.1.3 (Serial1/0), d=1.1.1.2, len 44, rcvd 7
*Jun 20 00:48:30.007: IP: tableid=0, s=1.1.1.2 (local), d=23.1.1.3 (Serial1/0), routed via FIB
*Jun 20 00:48:30.011: IP: s=1.1.1.2 (local), d=23.1.1.3 (Serial1/0), len 44, sending
//基实在R1上看到的，还是外部主机的请求，而外部主机请求即是请求的虚拟的IP地址 1.1.1.127.[/img]..

 


    实验中的IP划分：
   SW1 VLAN 2  192.168.2.250     VLAN 3    192.168.2.250
   SW2 VLAN 2  192.168.2.249     VLAN 3    192.168.2.249
   R1  bvi  1  192.168.2.251     bvi  2    192.168.3.251
   R2  bvi  1  192.168.2.248     bvi  2    192.168.3.248
       HSRP 2  192.168.2.254     HSRP 3    192.168.3.254
  
一。实验目的
    了解桥接的作用：桥接”，是指依据OSI网络模型的链路层的地址，对网络数据包进行转发的过程。当路由器配置了桥接选项后，会处理所有接口上的所有的数据帧，并实时调查每个主机的位置。若在某个接口上收入一个帧，就会在一个桥接内置入一个条目，列出发送数据的主机和接收到数据帧的接口MAC地址，这样路由表就被不断地在通信中完善起来。
参考：[url]http://zhidao.baidu.com/question/5760460.html[/url]

二。实验内容
    1。在实验中，我们使用的是二层交换机，通过路由器来实现VLAN之间的路由
       在E0/0 E0/1下面划分子接口
       int e0/0.1         int e0/0.2
       en dot1q 2         en dot1q 3   分别封装VLAN 2 VLAN 3
    2。因为在同一物理接口不能配置同一网段的IP地址，我们要通过桥接组来实现子接口之间的桥接
       int e0/0.1            int e0/1.1
       bridge-group 1        bridge-group 2  建立两个桥接组
    3。这只是简单的两层桥接，要实现三层桥接，我们要给桥接组配置IP地址
       int bvi 1                              int bvi 2
       ip add 192.168.2.1 255.255.255.0       ip add 192.168.3.1 255.255.255.0
       两个组分别使用VLAN2 与VLAN 3的网段，这样可以实现VLAN之间的路由
    4。为了完成VLAN之间的路由，所有橙色线路的端口为trunk
       switchport mode truck
       switchport truck en do
    5。所有PC接入端号使作protfast 端口，接到收敛速成度
       spanning-stree protfast
    6。为了终端PC的安全，我们可以采用热备份协议，实现网关冗余
        R1: int bvi 1                              int bri 2
            standy 1 ip 192.168.2.254              standy 2 ip 192.168.3.254
            standy 1 pree                          standy 2 pree    开启抢占
       R2: int bvi 1

            standy 1 ip 192.168.2.254              standy 2 ip 192.168.3.254
            standy 1 pree                          standy 2 pree    开启抢占
            standy 1 pri 50 让R1成为VLAN 1主网关   standy 2 pri 200 让R2成为VLAN 2的主网关
       在第6中，我们分别分R1与R2成为VLAN 1与VLAN 2的主，彼此之间成为备份，使得网络更可靠
    7。ISP与本地路由器之间采用路由协议，可以实现负载均衡
在实验中用到如下命令：
   bridge 1 protocol ieee 封装协议
   birdge 1 route ip    　支持IP路由
　 birdge irb             将桥接接口集成路由功能

二。实验配置
    这个实验中，主要是难点是子接口的路由桥接，但这个设计早以最淘汰了，我们可以在三层路由来实现上面的功能 。另一个知识点就是为这个VLAN 建立备份网关，我们可以采用HSRP VRRP GLBP协议来实现
 
三．配置
R1-up#sh run
Building configuration...
Current configuration : 1119 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-up
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
bridge irb
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
 no ip address
 half-duplex
!
interface Ethernet0/0.1
 encapsulation dot1Q 2
 bridge-group 1
!
interface Ethernet0/0.2
 encapsulation dot1Q 3
 bridge-group 2
!
interface Serial0/0
 ip address 10.1.1.1 255.255.255.0
 no fair-queue
!
interface Ethernet0/1
 no ip address
 half-duplex
!
interface Ethernet0/1.1
 encapsulation dot1Q 2
 bridge-group 1
!
interface Ethernet0/1.2
 encapsulation dot1Q 3
 bridge-group 2
!
interface BVI1
 ip address 192.168.2.251 255.255.255.0
 standby 1 ip 192.168.2.1
 standby 1 preempt
!
interface BVI2
 ip address 192.168.3.251 255.255.255.0
 standby 2 ip 192.168.3.1
!
ip http server
ip classless
!
!
!
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

R2-down#sh run
Building configuration...
Current configuration : 1173 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-down
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bridge irb
!
!
!
interface Ethernet0/0
 no ip address
 half-duplex
!
interface Ethernet0/0.1
 encapsulation dot1Q 2
 bridge-group 1
!
interface Ethernet0/0.2
 encapsulation dot1Q 3
 bridge-group 2
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Ethernet0/1
 no ip address
 half-duplex
!
interface Ethernet0/1.1
 encapsulation dot1Q 2
 bridge-group 1
!
interface Ethernet0/1.2
 encapsulation dot1Q 3
 bridge-group 2
!
interface BVI1
 ip address 192.168.2.248 255.255.255.0
 standby 1 ip 192.168.2.1
 standby 1 priority 50
 standby 1 preempt
//桥接组1 并启用了HSRP
!
interface BVI2
 ip address 192.168.3.248 255.255.255.0
 standby 2 ip 192.168.3.1
 standby 2 priority 200
 standby 2 preempt
//桥接组2 并启用了HSRP
!
ip http server
no ip http secure-server
ip classless
!
!
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
 
 
Sw1-up#sh run
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Sw1-up
!
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
 switchport access vlan 2
 spanning-tree portfast
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface VLAN1
 no ip directed-broadcast
 no ip route-cache
!
interface VLAN2
 ip address 192.168.2.250 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
interface VLAN3
 ip address 192.168.3.250 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
end
Sw1-up#
 
Sw2-down#sh run
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Sw2-down
!
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet0/3
 spanning-tree portfast
!
interface FastEthernet0/4
 spanning-tree portfast
!
interface FastEthernet0/5
 spanning-tree portfast
!
interface FastEthernet0/6
 spanning-tree portfast
!
interface FastEthernet0/7
 spanning-tree portfast
!
interface FastEthernet0/8
 spanning-tree portfast
!
interface FastEthernet0/9
 spanning-tree portfast
!
interface FastEthernet0/10
 spanning-tree portfast
!
interface FastEthernet0/11
 spanning-tree portfast
!
interface FastEthernet0/12
 spanning-tree portfast
!
interface VLAN1
 no ip directed-broadcast
 no ip route-cache
!
interface VLAN2
 ip address 192.168.2.249 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
interface VLAN3
 ip address 192.168.3.249 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
end
Sw2-down#
[/img]..

港湾路由器PPPOE配置事例（思科的类同）- -
                          ..

     PPPOE拨号主要用于ADSL的拨号，但在终端用户的拨号中又有三种方式，一个是采用透明桥接，两是采用PPPOE，三是采用PPPOA。
 

    在如上图中，最上面的就是透明桥接的接入方式
                             在下面的图中采用的PPPOE拨号方式，中间的采用MODEM+路由器
                             而在最下面图中，采用PC做为客户端，在系统下采用软件PPPOE拨号
 

 
    这样方式是采用PPPOA 即PPP over ATM.  在路由器上安装DSL模块来实现拨号功能
 
 
一。实验目的
       了解PPPOE的拨号过程和PPPOE的工作原理
 
二。实验配置
R1#sh run
Building configuration...
Current configuration : 955 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
interface FastEthernet0/0
 no ip address
 duplex half
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp chap hostname R1
 ppp chap password 0 cisco!
!
省……
end
      
R2#sh run
Building configuration...
Current configuration : 1175 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
vpdn-group 1
 accept-dialin
  protocol pppoe
  virtual-template 1
!
username R1 password 0 cisco

interface Loopback0
 ip address 10.1.1.1 255.255.255.0
!        
interface Loopback1
 no ip address
!
interface FastEthernet0/0
 no ip address
 duplex half
 pppoe enable
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!        
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool cisco
 ppp authentication chap
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip local pool cisco 10.1.1.10 10.1.1.20
ip classless
no ip http server
no ip http secure-server
//以上配置不用解释了吧
 
三。监视和配置测试
1。R1拨号的过程
R1(config-if)#
*Jun 17 17:44:13.491: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
R1(config-if)#
*Jun 17 17:44:22.727:  Sending PADI: Interface = FastEthernet0/0
*Jun 17 17:44:22.795: PPPoE 0: I PADO  R:ca01.0498.0000 L:ca00.0498.0000 Fa0/0
*Jun 17 17:44:24.807:  PPPOE: we've got our pado and the pado timer went off
*Jun 17 17:44:24.807: OUT PADR from PPPoE Session
*Jun 17 17:44:24.863: PPPoE 29: I PADS  R:ca01.0498.0000 L:ca00.0498.0000 Fa0/0
*Jun 17 17:44:24.863: IN PADS from PPPoE Session
*Jun 17 17:44:24.879: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Jun 17 17:44:24.879: PPPoE: Virtual Access interface obtained.
*Jun 17 17:44:24.883: PPPoE : encap string prepared
*Jun 17 17:44:24.883: [0]PPPoE 29: data path set to Virtual Acess
*Jun 17 17:44:24.883: Vi1 PPP: Using dialer call direction
*Jun 17 17:44:24.887: Vi1 PPP: Treating connection as a callout
*Jun 17 17:44:24.887: Vi1 PPP: Session handle[6700005A] Session id[0]
*Jun 17 17:44:24.891: Vi1 PPP: Authorization required
*Jun 17 17:44:24.891: Vi1 PPP: No remote authentication for call-out //采用单向认证
*Jun 17 17:44:24.895: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Jun 17 17:44:26.939: Vi1 PPP: No authorization without authentication
*Jun 17 17:44:27.039: Vi1 CHAP: I CHALLENGE id 1 len 23 from "R2"
*Jun 17 17:44:27.047: Vi1 CHAP: Using hostname from interface CHAP
*Jun 17 17:44:27.047: Vi1 CHAP: Using password from interface CHAP
*Jun 17 17:44:27.047: Vi1 CHAP: O RESPONSE id 1 len 23 from "R1"
*Jun 17 17:44:27.359: Vi1 CHAP: I SUCCESS id 1 len 4
*Jun 17 17:44:28.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R1(config-if)#do sh ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  up                    up     
Serial1/0                  unassigned      YES unset  administratively down down   
Serial1/1                  unassigned      YES unset  administratively down down   
Serial1/2                  unassigned      YES unset  administratively down down   
Serial1/3                  unassigned      YES unset  administratively down down   
Virtual-Access1            unassigned      YES unset  up                    up     
Dialer1                    10.1.1.10       YES IPCP   up                    up
可以看出R1从R2上获取到了IP地址
R1(config-line)#do sh int dia 1
Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 10.1.1.10/32
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi1
  Last input never, output never, output hang never
            省……
Bound to:
Virtual-Access1 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Listen: CDPCP
  Open: IPCP
  PPPoE vaccess, cloned from Dialer1
  Vaccess status 0x44, loopback not set
  Keepalive set (10 sec)
  Interface is bound to Di1 (Encapsulation PPP)
  Last input 00:07:00, output never, output hang never
  Last clearing of "show interface" counters 00:07:24
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
              省……
//从上面可以看出，我们能正常用运行商那里获得公网IP地址
 
2。PPPOE上的认证过程
服务端：
R2(config-line)#do debug ppp authe
PPP authentication debugging is on
*Jun 17 18:00:24.243: ppp32 PPP: Using default call direction
*Jun 17 18:00:24.247: ppp32 PPP: Treating connection as a dedicated line
*Jun 17 18:00:24.247: ppp32 PPP: Session handle[F4000020] Session id[32]
*Jun 17 18:00:24.251: ppp32 PPP: Authorization required
*Jun 17 18:00:26.355: ppp32 CHAP: O CHALLENGE id 1 len 23 from "R2"
*Jun 17 18:00:26.435: ppp32 CHAP: I RESPONSE id 1 len 23 from "R1"
*Jun 17 18:00:26.439: ppp32 PPP: Sent CHAP LOGIN Request
*Jun 17 18:00:26.447: ppp32 PPP: Received LOGIN Response PASS
*Jun 17 18:00:26.471: Vi1.1 PPP: Sent LCP AUTHOR Request
*Jun 17 18:00:26.475: Vi1.1 PPP: Sent IPCP AUTHOR Request
*Jun 17 18:00:26.483: Vi1.1 LCP: Received AAA AUTHOR Response PASS
*Jun 17 18:00:26.483: Vi1.1 IPCP: Received AAA AUTHOR Response PASS
*Jun 17 18:00:26.487: Vi1.1 CHAP: O SUCCESS id 1 len 4
R2(config-line)#
客户端：
R1(config-if)#
*Jun 17 18:00:27.251: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Jun 17 18:00:27.255: Vi1 PPP: Using dialer call direction
*Jun 17 18:00:27.255: Vi1 PPP: Treating connection as a callout
*Jun 17 18:00:27.259: Vi1 PPP: Session handle[87000063] Session id[0]
*Jun 17 18:00:27.259: Vi1 PPP: Authorization required
*Jun 17 18:00:27.259: Vi1 PPP: No remote authentication for call-out
*Jun 17 18:00:27.263: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Jun 17 18:00:29.295: Vi1 PPP: No authorization without authentication
*Jun 17 18:00:29.315: Vi1 CHAP: I CHALLENGE id 1 len 23 from "R2"
*Jun 17 18:00:29.319: Vi1 CHAP: Using hostname from interface CHAP
*Jun 17 18:00:29.323: Vi1 CHAP: Using password from interface CHAP
*Jun 17 18:00:29.323: Vi1 CHAP: O RESPONSE id 1 len 23 from "R1"
*Jun 17 18:00:29.759: Vi1 CHAP: I SUCCESS id 1 len 4

  [/img]..

学习-OSPF综合实验
 

　　OSPF综合实验，在这个实验包含邻居认证，区域MD5认证，虚链路，多个OSPF进程号的作用，重分布，NSSA区域，更新过滤

  今天陪同学去买火车票,看到一个广告纸上面写着"火车第六次提速",回来查了一下火车提速的经过.我国火车提速还是蛮快的.希望中国火车越快越稳.

●1997年4月1日第一次提速：提速主要在京广、京沪、京哈三大干线进行。允许时速超过120公里的线路延长为1398公里，时速超过140公里的线路延长为588公里，时速超过160公里的线路延长为752公里

R1(config)#ip dhcp ?
aaa                 Configure aaa attributes
binding             DHCP address bindings
bootp               BOOTP specific configuration
conflict             DHCP address conflict parameters

  我们在写流量工程式的时候，可以用策略路由来做流量工量转发路径的控制。