第10章 综合案例实施.docx

路由器接口名称地址运行协议Beijing1F0/0/29EIGRP AS=1LO0/23EIGRP AS=1S0/0/0/24OSPF 区域 0S0/0/1/24OSPF 区域 0Beijing2S0/0/0/24OSPF 区域 0S0/1/0/24OSPF 区域 0F0/0/24OSPF 区域 0S0/0/1/24RIP v22012:2323:2/64OSPFv3S0/1/1/24OSPF区域12012:2424:2/64OSPFv3ShanghaiF0/0/24RIP v22012:3333:3/64OSPFv3S0/0/1/24RIP v22012:2323:3/64OSPFv3ShenzhenS0/0/0/24OSPF区域12012:2424:4/64OSPFv3F0/0/24OSPF区域12012:4444:4/64OSPFv3InternetF0/0/29EIGRP AS=1LO0/32EIGRP AS=1S0/0/1/30BGP通告相应网络S0/0/0/30BGP通告相应网络HotelF0/0/24S0/0/0/30SOHOF0/0/24S0/0/0218.181.2/30WEB服务器内网地址：00 外网地址：FTP服务器内网地址：01 外网地址：内部资源102内部资源203表10-1 路由器接口IP地址及运行协议10.3 案例配置任务本案例尽可能覆盖到前面章节的内容，配置任务具体如下所述。1 照要求配置路由器各个端口的IPv4和IPv6地址，保证直连链路通。2 配置OSPF路由协议保证OSPF各个区域路由正常，具体要求如下所述。将区域1配置成完全末节区域;区域0需要MD5验证，区域1需要简单口令验证；从Beijing1路由器向OSPF网络注入一条默认路由。3 配置RIP V2路由协议，采用MD5验证。4 置EIGRP路由协议，为路由器Beijing1和Internet运行BGP路由协议提供TCP连通性。5 Beijing1和Internet运行EBGP路由协议6 置DHCP服务，为分公司员工的主机提供IP地址。7 配置NAT：配置NAT过载，实现总部和分公司的主机可以访问Internet；配置NAT过载，实现Hotel和SOHO的主机可以访问Internet；配置静态NAT，实现Internet主机可以访问企业的Web和FTP服务器在路由器Beijing2上执行RIP和OSPF的双向重分布：将RIP路由重分布到OSPF；将OSPF路由重分布到RIP；配置OSPv3路由协议协议，采用验证，保证IPv6路由通。在路由器Beijing1上配置策略路由：使Internet主机访问FTP服务器的数据流走路由器R1的“Seria10/0/0”接口；使Internet主机访问Web服务器的数据流走路由器R1的“Seria10/0/1”接口；在路由器SOHO和Beijing1上配置Site-to-Site VPN，使得SOHO的用户可以通过IPSec VPN访问企业内部资源在路由器Beijing1上配置配置EZ VPN，使得出差员工通过酒店的网络可以访问企业内部资源。配置静态默认路由，使得Hotel路由器和SOHO路由器接入Internet。企业的路由器采用集中化管理，全部由北京的网络管理员进行管理，并采用AAA进行验证授权和计费。为了便于企业设备管理和排错，在内网配置NTP，使得内网设备时间统一。10.4案例配置实现本节只给出实验的配置，不再作注释，如有需要，请参考前面的章节。配置顺序按照路由器“show running-config”的输出顺序给出。AAA配置只给出路由器Beijing2的配置，其他设备请读者自己配制，ACS服务器的配置部分请参考第1章。1 配置路由器Beijing1Beijing1(config)#aaa new-modelBeijing1(config)#aaa authentication login CON noneBeijing1(config)#aaa authentication login VPNUSERS localBeijing1(config)#aaa authorization network VPN-REMOTE-ACCESS localBeijing1(config)#ip cefBeijing1(config)#key chain EIGRPBeijing1(config-keychain)#key 1Beijing1(config-keychain-key)#key-string cisco123Beijing1(config-keychain-key)#08:00:00 Nov 11 2011 08:00:00 Jun 11 2012Beijing1(config-keychain-key)#08:00:00 Nov 11 2011 08:00:00 Jun 11 2012Beijing1(config-keychain)#key 2Beijing1(config-keychain-key)#key-string cisco234Beijing1(config-keychain-key)#accept-lifetime 08:00:00 Nov 11 2011 08:00:00 Jun 11 2012Beijing1(config-keychain-key)#send-lifetime 08:00:00 Nov 11 2011 08:00:00 Jun 11 2012Beijing1(config)#username vpnuser secret ciscoBeijing1(config)#archiveBeijing1(config-archive)#path t02/$h-configBeijing1(config-archive)#write-memoryBeijing1(config-archive)#time-period 60Beijing1(config)#crypto isakmp policy 10Beijing1(config-isakmp)#hash md5Beijing1(config-isakmp)#authentication pre-shareBeijing1(config-isakmp)#group 2Beijing1(config)#crypto isakmp key cisco address Beijing1(config)#crypto isakmp fragmentationBeijing1(config)#crypto isakmp keepalive 20Beijing1(config)#crypto isakmp xauth timeout 20Beijing1(config)#crypto isakmp client configuration group VPN-REMOTE-ACCESSBeijing1(config-isakmp-group)#key MYVPNKEYBeijing1(config-isakmp-group)#pool REMOTE-POOLBeijing1(config-isakmp-group)#acl EZVPNBeijing1(config-isakmp-group)#save-passwordBeijing1(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmacBeijing1(config)#crypto dynamic-map DYNMAP 1Beijing1(config-crypto-map)#set transform-set TSBeijing1(config-crypto-map)#reverse-routeBeijing1(config)#crypto map MAP client authentication list VPNUSERSBeijing1(config)#crypto map MAP isakmp authorization list VPN-REMOTE-ACCESSBeijing1(config)#crypto map MAP 10 ipsec-isakmpBeijing1(config-crypto-map)#set peer Beijing1(config-crypto-map)#set transform-set TSBeijing1(config-crypto-map)#set pfs group2Beijing1(config-crypto-map)#match address VPNBeijing1(config-crypto-map)#reverse-route staticBeijing1(config)#crypto map MAP 65535 ipsec-isakmp dynamic DYNMAPBeijing1(config)#interface Loopback0Beijing1(config-if)#ip address 55Beijing1(config)#interface FastEthernet0/0Beijing1(config-if)#ip address 48Beijing1(config-if)#ip authentication mode eigrp 1 md5Beijing1(config-if)#ip authentication key-chain eigrp 1 EIGRPBeijing1(config-if)#ip nat outsideBeijing1(config-if)#ip policy route-map POBeijing1(config-if)#crypto map MAPBeijing1(config)#interface Serial0/0/0Beijing1(config-if)#ip address Beijing1(config-if)#ip nat insideBeijing1(config-if)#ip ospf message-digest-key 1 md5 ciscoBeijing1(config)#interface Serial0/0/1Beijing1(config-if)#ip address Beijing1(config-if)#ip nat insideBeijing1(config-if)#ip ospf message-digest-key 1 md5 ciscoBeijing1(config-if)#clock rate 128000Beijing1(config)#router eigrp 1Beijing1(config-router)#network Beijing1(config-router)#network Beijing1(config-route)#no auto-summaryBeijing1(config)#router ospf 1Beijing1(config-router)#router-id Beijing1(config-router)#area 0 authentication message-digestBeijing1(config-router)#network area 0Beijing1(config-router)#network area 0Beijing1(config-router)#default-information originate alwaysBeijing1(config)#router bgp 100Beijing1(config-router)#no synchronizationBeijing1(config-router)#bgp router-id Beijing1(config-router)#neighbor remote-as 500Beijing1(config-router)#neighbor password cisco17Beijing1(config-router)#neighbor ebgp-multihop 2Beijing1(config-router)#neighbor update-source Loopback0Beijing1(config-router)#no auto-summaryBeijing1(config)#ip local pool REMOTE-POOL 50Beijing1(config)#ip nat inside source list 101 interface FastEthernet0/0 overloadBeijing1(config)#ip nat inside source static 00 Beijing1(config)#ip nat inside source static 01 Beijing1(config)#ip access-list extended EZVPNBeijing1(config-ext-nacl)#permit ip 55 55Beijing1(config)#ip access-list extended WEBBeijing1(config-ext-nacl)#permit tcp any host 01 eq wwwBeijing1(config)#accee-list 101 deny ip 55 55Beijing1(config)#accee-list 101 permit ip 55 anyBeijing1(config)#route-map PO permit 10Beijing1(config-route-map)#match ip address FTPBeijing1(config-route-map)#set interface Serial0/0/1Beijing1(config)#line con 0Beijing1(config-line)#login authentication CONBeijing1(config)#ntp master 32 路由器配置Beijing2Beijing2(config)#enable secret cisico123Beijing2(config)#aaa new-modelBeijing2(config)#aaa authentication login CON noneBeijing2(config)#aaa authentication login TEST_LOGIN group tacacs+ localBeijing2(config)#aaa accounting exec ACC start-stop group tacacs+Beijing2(config)#aaa accounting commands 0 ACC start-stop group tacacs+Beijing2(config)#aaa accounting commands 1 ACC start-stop group tacacs+Beijing2(config)#aaa accounting commands 15 ACC start-stop group tacacs+Beijing2(config)#ip cefBeijing2(config)#ipv6 unicast-routingBeijing2(config)#ipv6 cefBeijing2(config)#key chain RIPBeijing2(config-keychain)#key 1Beijing2(config-kechain-key)#key-string cisco23Beijing2(config)#username ccie privilege 15 secret ciscoBeijing2(config)#archiveBeijing2(config-archive)#path t02/$h-configBeijing2(config-archive)#write-memoryBeijing2(config-archive)#time-period 60Beijing2(config)#interface FastEthernet0/0Beijing2(config-if)#ip address Beijing2(config)#interface Serial0/0/0Beijing2(config-if)#ip address Beijing2(config-if)#clock rate 128000Beijing2(config)#interface Serial0/0/1Beijing2(config-if)#ip address Beijing2(config-if)#ip rip authentication mode md5Beijing2(config-if)#ip rip authentication key-chain RIPBeijing2(config-if)#ip ospf message-digest-key 1 md5 ciscoBeijing2(config-if)#ipv6 address 2012:2323:2/64Beijing2(config-if)#ipv6 ospf 1 area 0Beijing2(config-if)#clock rate 128000Beijing2(config)#interface Serial0/1/0Beijing2(config-if)#ip address Beijing2(config-if)#ip ospf message-digest-key 1 md5 ciscoBeijing2(config)#interface Serial0/1/1Beijing2(config-if)#ip address Beijing2(config-if)#ip ospf authentication-key cisco24Beijing2(config-if)#ipv6 address 2012:2424:2/64Beijing2(config-if)#ipv6 ospf 1 area 0Beijing2(config)#router ospf 1Beijing2(config-router)#router-id Beijing2(config-router)#area 0 authentication message-digestBeijing2(config-router)#area 1 authenticationBeijing2(config-router)#area 1 stub no-summaryBeijing2(config-router)#redistribute rip subnetsBeijing2(config-router)#passive-interface FastEthernet0/0Beijing2(config-router)#network area 0Beijing2(config-router)#network area 0Beijing2(config-router)#network area 0Beijing2(config-router)#network area 1Beijing2(confi)#router ripBeijing2(config-router)#version 2Beijing2(config-router)#redistribute ospf 1 metric 3Beijing2(config-router)#passive-interface Serial0/0/1Beijing2(config-router)#network Beijing2(config-router)#no auto-summaryBeijing2(config)#ipv6 router ospf 1Beijing2(config-rtr)#router-id Beijing2(config-rtr)#area 0 encryption ipsec spi 1000 esp des 1234567890ABCDEF md5 12345678901234567890123456789012Beijing2(config)#tacacs-server host 03Beijing2(config)#tacacs-server key ciscoBeijing2(config)#line con 0Beijing2(config-line)#login authentication CONBeijing2(config)#line vty 0 4Beijing2(config-line)#accounting commands 0 ACCBeijing2(config-line)#accounting commands 1 ACCBeijing2(config-line)#accounting commands 15 ACCBeijing2(config-line)#accounting exec ACCBeijing2(config-line)#login authentication TEST_LOGINBeijing2(config)#ntp server 3 配置路由器ShanghaiShanghai(config)#ip cefShanghai(config)#ip dhcp excluded-address Shanghai(config)#ip dhcp pool shanghaiShanghai(dhcp-config)#network Shanghai(dhcp-config)#default-router Shanghai(dhcp-config)#dns-server 00Shanghai(dhcp-config)#domain-name Shanghai(config)#ipv6 unicast-routingShanghai(config)#ipv6 cefShanghai(config)#key chain RIPShanghai(config-keychain)#key 1Shanghai(config-keychain-key)#key-string cisco23Shanghai(config)#archiveShanghai(config-archive)#path t02/$h-configShanghai(config-archive)#write-memoryShanghai(config-archive)#time-period 60Shanghai(config)#interface FastEthernet0/0Shanghai(config-if)#ip address Shanghai(config-if)#ipv6 address 2012:3333:3/64Shanghai(config-if)#ipv6 ospf 1 area 0Shanghai(config)#interface Serial0/0/1Shanghai(config-if)#ip address Shanghai(config-if)#ip rip authentication mode md5Shanghai(config-if)#ip rip authentication key-chain RIPShanghai(config-if)#ipv6 address 2012:2323:3/64Shanghai(config-if)#ipv6 ospf 1 area 0Shanghai(config)#router ripShanghai(config-router)#version 2Shanghai(config-router)#passive-interface FastEthernet0/0Shanghai(config-router)#network Shanghai(config-router)#no auto-summaryShanghai(config)#ipv6 router ospf 1Shanghai(config-rtr)#router-id Shanghai(config-rtr)#area 0 encryption ipsec spi 1000 esp des 1234567890ABCDEF md5 12345678901234567890123456789012Shanghai(config)#ntp server 4 配置路由器ShenzhenShenzhen(config)#ip cefShenzhen(config)#ip dhcp excluded-address Shenzhen(config)#ip dhcp pool shenzhenShenzhen(dhcp-config)#network Shenzhen(dhcp-config)#default-router Shenzhen(dhcp-config)#dns-server 00Shenzhen(dhcp-config)#domain-name Shenzhen(config)#ipv6 unicast-routingShenzhen(config)#ipv6 cefShenzhen(config)#archiveShenzhen(config-archive)#path t02/$h-configShenzhen(config-archive)#write-memoryShenzhen(config-archive)#time-period 60Shenzhen(config)#interface FastEthernet0/0Shenzhen(config-if)#ip address Shenzhen(config-if)#ipv6 address 2012:4444:4/64Shenzhen(config-if)#ipv6 ospf 1 area 0Shenzhen(config)#interface Serial0/0/0Shenzhen(config-if)#ip address Shenzhen(config-if)#ip ospf authentication-key cisco24Shenzhen(config-if)#ipv6 address 2012:2424:4/64Shenzhen(config-if)#ipv6 ospf 1 area 0Shenzhen(config-if)#clock rate 128000Shenzhen(config)#router ospf 1Shenzhen(config-router)#router-id Shenzhen(config-router)#area 1 authenticationShenzhen(config-router)#area 1 stubShenzhen(config-router)#passive-interface FastEthernet0/0Shenzhen(config-router)#network area1Shenzhen(config-router)#network area1Shenzhen(config)#ipv6 router ospf 1Shenzhen(config-rtr)#router-id Shenzhen(config-rtr)#area 0 encryption ipsec spi 1000 esp des 1234567890ABCDEF md5 1234567890123456789012346789012Shenzhen(config)#ntp server 5 配置路由器HotelHotel(config)#ip cefHotel(config)#ip dhcp excluded-address Hotel(config)#ip dhcp pool HOTELHotel(dhcp-config)#network Hotel(dhcp-config)#default-router Hotel(dhcp-config)#dns-server 33Hotel(config)#interface FastEthernet0/0Hotel(config-if)#ip address Hotel(config-if)#ip nat insideHotel(config)#interface Serial0/0/0Hotel(config-if)#address 52Hotel(config-if)#ip nat outsideHotel(config)#ip route Serial0/0/0Hotel(config)#ip nat inside source list 101 interface Serial0/0/0 overloadHotel(config)#access-list 101 permit ip 55 any6 置路由器SOHOSOHO(config)#ip cefSOHO(config)#crypto isakmp policy 10SOHO(config-isakmp)#hash md5SOHO(config-isakmp)#authentication pre-shareSOHO(config-isakmp)#group 2SOHO(config)#crypto isakmp key cisco address SOHO(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmacSOHO(config)#crypto map MAP 10 ipsec-isakmpSOHO(config-crypto-map)#set peer SOHO(config-crypto-map)#set transform-set TSSOHO(config-crypto-map)#set pfs group2SOHO(config-crypto-map)#match address VPNSOHO(config-crypto-map)#reverse-route staticSOHO(config)#interface FastEthernet0/0SOHO(config-if)#ip address SOHO(config-if)#ip nat insideSOHO(config)#interface Serial0/0/0SOHO(config-if)#ip address 52SOHO(config-if)#ip nat outsideSOHO(config-if)#crypto map MAPSOHO(config)#ip route Serial0/0SOHO(config)#ip nat inside soutce list 101 interface Serial0/0/0 overloadSOHO(config)#ip access-list extended VPNSOHO(config-ext-nacl)#deny ip 55 host 00SOHO(config-ext-nacl)#deny ip 55 host 01SOHO(config-ext-nacl)#permit ip 55 557 置路由器InternetInternet(config)#ip cefInternet(config)#key chain EIGRPInternet(config-keychain)#key 1Internet(config-keychain-key)#key-string cisco 123Internet(config-keychain-key)#accept-lifetime 08:00:00 Nov 11 2011 08:00:00 Jun 11 2012Internet(config-keychain-key)#send-lifetime 08:00:00 Nov 11 2011 08:00:00 Jun 11 2012Internet(confi