Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3386537
  • 博文数量: 631
  • 博客积分: 10716
  • 博客等级: 上将
  • 技术积分: 8397
  • 用 户 组: 普通用户
  • 注册时间: 2008-04-01 22:35
文章分类

全部博文(631)

文章存档

2020年(2)

2019年(22)

2018年(4)

2017年(37)

2016年(22)

2015年(1)

2013年(12)

2012年(20)

2011年(19)

2010年(20)

2009年(282)

2008年(190)

分类: 系统运维

2009-03-10 13:39:11

最近一段时间在搞ipsec,反向路由注入的那部分书上介绍的很少,而且网上的文章介绍的也不是很深入,于是就查了一下cisco的文档,总结了一下并做了实验。以下是实验过程。
RRI+HSRP+OSPF
实验:
实验拓扑图如下


实验工具是dynamips, IOSc3640-jk9s-mz.124-10.bin

在右侧的HUB这几台路由器为什么要这样连接呢?因为要启用HSRP,也应该算是IPSEC的高可用性,而HSRP又不能用于WAN接口,所以R1R2不能用WAN口直接连接INTERNET。也许有人会问了,我直接向ISP申请IP专线,他们就能把以太口引到我的机房,没有必要必须有GW这台路由器。我这里讨论的情况是ISP不能给我以太口的时候,所以得有一台GW路由器和INTERNET连接。而且就算可行,那你也得申请两根专线阿。

net
文件如下:
autostart = false

model = 3640
[localhost]
        
    [[ROUTER R1]]
    model = 3640
    image = d:/cisco/c3640-jk9s-mz.124-10.bin
    exec_area = 8
    idlepc = 0x605914fc
    ram = 128
    confreg = 0x2142
    slot0 = NM-1FE-TX
    slot1 = NM-1FE-TX
    slot2 = NM-4T   
     f0/0 = LAN 1
     f1/0 = LAN 2      
           
    [[router R2]]
    model = 3640
    image = d:/cisco/c3640-jk9s-mz.124-10.bin
    exec_area = 8
    idlepc = 0x605914fc
    ram = 128
    confreg = 0x2142
    slot0 = NM-1FE-TX
    slot1 = NM-1FE-TX
    slot2 = NM-4T   
      f0/0 = LAN 1
      f1/0 = LAN 2

    [[router R3]]
    model = 3640
    image = d:/cisco/c3640-jk9s-mz.124-10.bin
    exec_area = 8
    idlepc = 0x605914fc
    ram = 128
    confreg = 0x2142
    slot0 = NM-1FE-TX
    slot1 = NM-1FE-TX
    slot2 = NM-4T   
   

    [[router R4]]
    model = 3640
    image = d:/cisco/c3640-jk9s-mz.124-10.bin
    exec_area = 8
    idlepc = 0x605914fc
    ram = 128
    confreg = 0x2142
    slot0 = NM-1FE-TX
    slot1 = NM-1FE-TX
    slot2 = NM-4T
      f0/0 = R3 f0/0
      f1/0 = LAN 1   

    [[router R5]]
    model = 3640
    image = d:/cisco/c3640-jk9s-mz.124-10.bin
    exec_area = 8
    idlepc = 0x605914fc
    ram = 128
    confreg = 0x2142
    slot0 = NM-1FE-TX
    slot1 = NM-1FE-TX
    slot2 = NM-4T   
      f1/0 = LAN 2   

各台路由器的配置:
r1#show run
Building configuration...

Current configuration : 1682 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!         
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set test
match address 101
reverse-route
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address 10.4.4.1 255.255.255.0
duplex auto
speed auto
standby delay minimum 30 reload 60
standby ip 10.4.4.3
standby priority 105
standby preempt
standby name ipsec
standby track FastEthernet1/0
crypto map vpn redundancy ipsec
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!         
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute static subnets
network 192.168.1.1 0.0.0.0 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.4.4.4
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!         
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end

r1#


r2#sho run
Building configuration...

Current configuration : 1644 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!         
!         
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!         
crypto map vpn 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set test
match address 101
reverse-route remote-peer 10.4.4.4
!
!
!
!
interface FastEthernet0/0
ip address 10.4.4.2 255.255.255.0
duplex auto
speed auto
standby delay minimum 30 reload 60
standby ip 10.4.4.3
standby preempt
standby name ipsec
standby track FastEthernet1/0
crypto map vpn redundancy ipsec
!
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
redistribute static subnets
network 192.168.1.2 0.0.0.0 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.4.4.4
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!         
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end

r2#


spoke#show run
Building configuration...

Current configuration : 1404 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname spoke
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.4.4.3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 10.4.4.3
set transform-set test
match address 101
!
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
!
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end

spoke#


GW#show run
Building configuration...

Current configuration : 1068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.4.4.4 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 192.168.1.0 255.255.255.0 10.4.4.3
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!         
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end

GW#


r5#show run
Building configuration...

Current configuration : 1113 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
memory-size iomem 5
ip tcp selective-ack
!
!
ip cef
!
!         
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!         
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 192.168.1.5 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!         
!
!
!
!
!
!
!
!
line con 0
logging synchronous
no exec
line aux 0
line vty 0 4
password cisco
login
!
!
end

r5#


R1上查看hsrp和加密
r1#show stand b
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP     
Fa0/0       0   105  P Active   local           10.4.4.2        10.4.4.3      
r1#
r1#show cry is sa
dst             src             state          conn-id slot status

r1#show cry ip sa

interface: FastEthernet0/0
    Crypto map tag: vpn, local addr 10.4.4.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.4.4.3, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
         
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
r1#
r1#show cry en conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

r1#
R2上查看hsrp和加密
r2#show stand b
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP     
Fa0/0       0   100  P Standby  10.4.4.1        local           10.4.4.3      
r2#
R2
上加密现在和R1上相同


R3ping 对端被保护的网络:
spoke#ping 192.168.1.1 so 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 276/282/292 ms
spoke#

此时在R1
r1#show cry is sa
dst             src             state          conn-id slot status
10.4.4.3        10.1.1.1        QM_IDLE              1    0 ACTIVE

r1#show cry en conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet0/0      10.4.4.1        set    HMAC_SHA+DES_56_CB        0        0
2001 FastEthernet0/0      10.4.4.3        set    3DES+SHA                  0        3
2002 FastEthernet0/0      10.4.4.3        set    3DES+SHA                  3        0

r1#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.4.4.4 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0
S       10.0.0.0 [1/0] via 10.1.1.1
C    192.168.1.0/24 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 10.4.4.4
r1#

此时的R2
r2#show cry is sa
dst             src             state          conn-id slot status

r2#show cry en conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

r2#
r2#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.4.4.4 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0
O E2    10.0.0.0 [110/20] via 192.168.1.1, 00:03:18, FastEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 10.4.4.4
r2#

r5#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 192.168.1.1, 00:03:44, FastEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet1/0
r5#

spoke#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
spoke#ping 192.168.1.5 so 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 284/315/352 ms
spoke#

之后做切换测试,在R1上将F1/0接口sh down
r1(config)#int fa1/0
r1(config-if)#sh
r1(config-if)#
r1(config-if)#
r1(config-if)#
*Mar  1 00:34:46.595: %OSPF-5-ADJCHG: Process 100, Nbr 5.5.5.5 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:34:46.599: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.2 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
r1(config-if)#
*Mar  1 00:34:48.583: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 00:34:49.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Speak
*Mar  1 00:34:49.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
r1(config-if)#
*Mar  1 00:34:59.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Speak -> Standby
r1(config-if)#

r1(config)#int fa1/0
r1(config-if)#sh
r1(config-if)#
r1(config-if)#
r1(config-if)#
*Mar  1 00:34:46.595: %OSPF-5-ADJCHG: Process 100, Nbr 5.5.5.5 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:34:46.599: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.2 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
r1(config-if)#
*Mar  1 00:34:48.583: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 00:34:49.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Active -> Speak
*Mar  1 00:34:49.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
r1(config-if)#
*Mar  1 00:34:59.303: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Speak -> Standby
r1(config-if)#
r1(config-if)#end
r1#show
*Mar  1 00:35:27.367: %SYS-5-CONFIG_I: Configured from console by console
r1#show st
r1#show stand b
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP     
Fa0/0       0   95   P Standby  10.4.4.2        local           10.4.4.3      


r2#
*Mar  1 00:35:16.047: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 0 state Standby -> Active
r2#
*Mar  1 00:35:51.275: %OSPF-5-ADJCHG: Process 100, Nbr 10.4.4.1 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Dead timer expired
r2#show stand bri
                     P indicates configured to preempt.
                     |
Interface   Grp Prio P State    Active          Standby         Virtual IP     
Fa0/0       0   100  P Active   local           10.4.4.1        10.4.4.3      

R1RRI注入的静态路由没有了
r1#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.4.4.4 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.4.4.4
r1#
r1#show cry is sa
dst             src             state          conn-id slot status
10.4.4.3        10.1.1.1        QM_IDLE              1    0 ACTIVE

r1#show cry en conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet0/0      10.4.4.1        set    HMAC_SHA+DES_56_CB        0        0

r1#

r2#show crypto  is sa
dst             src             state          conn-id slot status

r2#show cry en conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt


 

(27.58 KB) 2009-2-14 21:46
 

 

 

 

 

[]

发表于 2009-2-14 21:49 

等了一段时间后,在spoke路由器上ping对端保护的网络
spoke#ping 192.168.1.2 so 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/261/292 ms
spoke#
此时R2已经有了注入的静态路由
r2#show ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.4.4.4 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0
S       10.0.0.0 [1/0] via 10.4.4.4
C    192.168.1.0/24 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 10.4.4.4
r2#show cry is sa
dst             src             state          conn-id slot status
10.4.4.3        10.1.1.1        QM_IDLE              1    0 ACTIVE

r2#show cry en conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet0/0      10.4.4.2        set    HMAC_SHA+DES_56_CB        0        0
2001 FastEthernet0/0      10.4.4.3        set    3DES+SHA                  0       14
2002 FastEthernet0/0      10.4.4.3        set    3DES+SHA                  5        0

r2#telnet 192.168.1.5
Trying 192.168.1.5 ... Open


User Access Verification

Password:
r5>en
Password:
r5#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 192.168.1.2, 00:03:16, FastEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet1/0
r5#
r5#ping 10.0.0.1 so 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 336/392/456 ms
r5#
R1上没有该路由
r1#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.4.4.4 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.4.4.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.4.4.4

 


至此,切换成功。


由于网络上的资料不是很多,所以把自己的实验过程贴了出来,希望对大家有帮助,一起进步。


 

阅读(1441) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~