Shulou(Shulou.com)06/01 Report--

A case study of Advanced Network Integrated practical Architecture

Description of the experimental topology:

1. SW1-3 SW2-3, an internal layer 3 switch, is responsible for internal data exchange and forwarding between external and internal network segments, SW3,SW4,SW5 is an internal access layer switch, is responsible for internal network access, and R3 is a router connecting internal and external to external and inter-area. An internal network structure is formed. (area 0)

2. R4 is the internal area 1 router, which connects the network within area 1, and R3 is the router connecting area 1 to external and internal area 0.

3. R1 is the router in remote internal network area 2 that connects the internal network and the external network, and connects R3 and area 0 to configure a site-to-site router.

4. R2 is a router on the Internet.. Connect to all internal networks.

5. Access layer 3 switches "Catalyst2950-48" aggregation layer 2 layer 3 switches "CISCO3550-48" routers 4 cisco 2600xm.

Lab-related IP configuration:

1. Sw1-3 layer 3 switch above configuration: Vlan2:192.168.1.1/24

Vlan3:192.168.4.1/24

Vlan4:192.168.5.1/24

Vlan5:192.168.6.1/24

2. Sw2-3 layer 3 switch configuration: Vlan2:192.168.1.2/24

Vlan3:192.168.4.2/24

Vlna4:192.168.5.2/24

Vlan5:192.168.6.2/24

3. HSRP virtual address: Vlan2:192.168.1.254.

Vlan3:192.168.4.254.

Vlan4:192.168.5.254.

Vlan5:192.168.6.254.

4. Virtual tunnel address at both ends of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

R1:1.1.1.2/24

5.NAT uses port multiplexing address translation. "S0swap 1"

Brief introduction to the protocols related to the experiment:

1. VTP protocol: VLAN Relay Protocol (VTP,VLAN TRUNKING PROTOCOL) is a CISCO proprietary protocol, which is supported by most switches. VTP is responsible for synchronizing VLAN information in the VTP domain, so that it is not necessary to configure the same VLAN information on each exchange.

2. STP protocol: STP (Spanning Tree Protocol) is the abbreviation of spanning Tree Protocol. The protocol can be applied to the loop network to achieve path redundancy through certain algorithms, and at the same time, the loop network is trimmed into a tree network without loop, so as to avoid the proliferation and infinite circulation of packets in the loop network.

3. OSPF protocol: OSPF (Open Shortest Path First) is an interior gateway protocol (Interior Gateway Protocol, referred to as IGP), which is used to make routing decisions within a single autonomous system (autonomous system,AS). In contrast to RIP, OSPF is a link-state routing protocol, while RIP is a distance vector routing protocol. (external gateway protocol is: Exterior Gateway,Protocols EGP)

4. HSRP protocol: HSRP: hot standby Router Protocol (HSRP:Hot Standby Router Protocol, Hot standby Router Protocol HSRP) is designed to support IP traffic failover without confusion under certain circumstances, allow hosts to use a single router, and maintain connectivity between routers even if the actual first-hop router fails. In other words, when the source host cannot dynamically know the IP address of the first-hop router, the HSRP protocol can protect the first-hop router from failure. The protocol contains a variety of routers, corresponding to a virtual router. The HSRP protocol supports only one router to perform packet forwarding on behalf of the virtual router. End hosts forward their respective packets to the virtual router. The router responsible for forwarding packets is called an active router (Active Router). If the active router fails, HSRP will activate the backup router (Standby Routers) instead of the active router. The HSRP protocol provides a mechanism for deciding whether to use an active router or a backup router and specifies a virtual IP address as the default gateway address for the network system. If the active router fails, the backup router (Standby Routers) takes on all the tasks of the active router and does not cause the interruption of host connectivity. HSRP runs on UDP with port number 1985. The source address of the router forwarding protocol packet is the actual IP address, not the virtual address. Based on this, HSRP routers can recognize each other.

5. NAT protocol: the full name of NAT is "Network Address Translation" in English, which means "network address translation" in Chinese. It is an IETF (Internet Engineering Task Force, Internet Engineering Task Force) standard that allows a whole organization to appear on Internet with a public IP (Internet Protocol) address. As the name implies, it is a technology that translates internal private network addresses (IP addresses) into legal network IP addresses.

6. Xxxx protocol: the English full name of xxxx is "Virtual Private Network", which translates to "virtual private network". As the name implies, virtual private network can be understood as a virtual private line within an enterprise. Virtual private network (× × ×) is defined as establishing a temporary, secure connection through a public network (usually the Internet). It is a secure and stable tunnel through a chaotic public network.

Experimental objectives:

1. The VTP protocol is configured through the network topology, and the STP spanning tree protocol enables the internal network to have efficient and stable performance, thus forming a redundant function for the link.

two。 Enable the OSPF link-state routing protocol in different areas to enable network interworking.

3. Configure HSRP hot backup routing protocol to ensure that users can work properly when edge devices fail.

4. Configure NAT port address multiplexing translation on R 3 so that the internal network can access the external network.

5. Configure site TO sites on R 1 and R 3 so that the internal networks of the two sites can communicate securely.

6. Through the above configuration to form an efficient, stable, secure and redundant network structure.

Detailed explanation of the experimental steps:

Relevant settings before configuration: (do not configure if the device is new)

# Clear line 1 Murray 8 clears designated lines (8-pin lines)

# erase statup-config clear configuration.

# reload restart the device

# show flash: view the previous vlans configuration database.

# delete flash:vlan.dat deletes the previous vlan configuration database.

1. Configure VTP:

Sw1-3 (vlan) # vtp domain test

Changing VTP domain name from NULL to test

Sw1-3 (vlan) # vtp server

Device mode already VTP SERVER.

Sw1-3 (vlan) # vtp password 111111

Setting device VLAN database password to 111111.

Sw1-3 (vlan) # vtp v2-mode

V2 mode enabled.

Sw1-3 (vlan) # vtp pruning

Pruning switched ON

Sw2-3 (vlan) # vtp domain test

Changing VTP domain name from NULL to test

Sw2-3 (vlan) # vtp domain server

Changing VTP domain name from test to server

Sw2-3 (vlan) # vtp password 111111

Setting device VLAN database password to 111111.

Sw2-3 (vlan) # vtp v2-mode

V2 mode enabled.

Sw2-3 (vlan) # vtp pruning

Pruning switched ON

Sw3 (vlan) # vtp domain test

Changing VTP domain name from NULL to test

Sw3 (vlan) # vtp client

Setting device to VTP CLIENT mode.

Sw3 (vlan) # vtp password 111111

Setting device VLAN database password to 111111.

Sw4 (vlan) # vtp domain test

Changing VTP domain name from NULL to test

Sw4 (vlan) # vtp client

Setting device to VTP CLIENT mode.

Sw4 (vlan) # vtp password 111111

Setting device VLAN database password to 111111.

Sw4 (vlan) # exit

Sw5 (vlan) # vtp domain test

Changing VTP domain name from NULL to test

Sw5 (vlan) # vtp client

Setting device to VTP CLIENT mode.

Sw5 (vlan) # vtp password 111111

Setting device VLAN database password to 111111.

Sw1-3#show vtp status

VTP Version: 2

Configuration Revision: 5

Maximum VLANs supported locally: 256

Number of existing VLANs: 9

VTP Operating Mode: Server

VTP Domain Name: test

VTP Pruning Mode: Enabled

VTP V2 Mode: Enabled

VTP Traps Generation: Disabled

MD5 digest: 0x2B 0xF6 0xD8 0xE3 0x28 0x13 0x8F 0xC4

Configuration last modified by 0.0.0.0 at 3-1-02 00:15:38

Local updater ID is 192.168.1.1 on interface Vl2 (lowest numbered VLAN interface found)

2.TRUNK configuration:

Sw1-3 (config) # in range f0ax 14-15

Sw1-3 (config-if-range) # switchport mode trunk

Sw1-3 (config-if-range) # no sh

Sw1-3 (config) # in range f0swap 1-3

Sw1-3 (config-if-range) # switchport mode trunk

Sw1-3 (config-if-range) # no sh

Sw2-3 (config) # in range f0ax 14-15

Sw2-3 (config-if-range) # switchport mode trunk

Sw2-3 (config-if-range) # no sh

Sw2-3 (config) # in range f0swap 1-3

Sw2-3 (config-if-range) # switchport mode trunk

Sw2-3 (config-if-range) # no sh

Sw3 (config) # in range f0amp 1-2

Sw3 (config-if-range) # switchport mode trunk

Sw3 (config-if-range) # no sh

Sw4 (config) # in range f0amp 1-2

Sw4 (config-if-range) # switchport mode trunk

Sw4 (config-if-range) # no sh

Sw5 (config) # in range f0amp 1-2

Sw5 (config-if-range) # switchport mode trunk

Sw5 (config-if-range) # no sh

Sw1-3#show interfaces trunk test

Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 1

Fa0/2 on 802.1q trunking 1

Fa0/3 on 802.1q trunking 1

Fa0/14 on 802.1q trunking 1

Fa0/15 on 802.1q trunking 1

3.VLAN configuration:

Sw1-3#vlan da

Sw1-3 (vlan) # vlan 2 name v2

VLAN 2 added:

Name: v2

Sw1-3 (vlan) # apply

APPLY completed.

Sw1-3 (vlan) # vlan 3 name v3

VLAN 3 added:

Name: v3

Sw1-3 (vlan) # apply

APPLY completed.

Sw1-3 (vlan) # vlan 4 name v4

VLAN 4 added:

Name: v4

Sw1-3 (vlan) # apply

APPLY completed.

Sw1-3 (vlan) # vlan 5 name v5

VLAN 5 added:

Name: v5

Sw1-3 (vlan) # apply

APPLY completed.

Sw1-3#show vlan-switch

VLAN Name Status Ports

1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13

2 v2 active

3 v3 active

4 v4 active

5 v5 active

1002 fddi-default active

1003 trcrf-default active

1004 fddinet-default active

1005 trbrf-default active

Sw2-3#show vlan-switch

VLAN Name Status Ports

1 default active Fa0/0, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13

2 v2 active

3 v3 active

4 v4 active

5 v5 active

1002 fddi-default active

1003 trcrf-default active

1004 fddinet-default active

1005 trbrf-default active

Sw3#show vlan-switch tests whether the client learns VLAN

VLAN Name Status Ports

1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5

Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10, Fa0/11, Fa0/12, Fa0/13

Fa0/14, Fa0/15

2 v2 active

3 v3 active

4 v4 active

5 v5 active

1002 fddi-default active

1003 trcrf-default active

1004 fddinet-default active

1005 trbrf-default active

Sw4#show vlan-switch

VLAN Name Status Ports

1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5

Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10, Fa0/11, Fa0/12, Fa0/13

Fa0/14, Fa0/15

2 v2 active

3 v3 active

4 v4 active

5 v5 active

1002 fddi-default active

1003 trcrf-default active

1004 fddinet-default active

1005 trbrf-default active

W5#show vlan-switch

VLAN Name Status Ports

1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5

Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10, Fa0/11, Fa0/12, Fa0/13

Fa0/14, Fa0/15

2 v2 active

3 v3 active

4 v4 active

5 v5 active

1002 fddi-default active

1003 trcrf-default active

1004 fddinet-default active

1005 trbrf-default active

4. Open the Ethernet channel:

W1-3 (config) # in range f0amp 14-15

Sw1-3 (config-if-range) # channel-group 1 mode on

Sw1-3#show ip in br

Port-channel1 unassigned YES unset up up

Sw2-3 (config) # in range f0ax 14-15

Sw2-3 (config-if-range) # channel-group 1 mode on

Sw2-3#show ip in br

Interface IP-Address OK? Method Status

Port-channel1 unassigned YES unset up up

5. Configure STP generation protocol:

Configure SWITCH1 as the root bridge for VLAN3 and VLAN5, and the secondary root bridge for VLAN2 and VLAN4

Configure SWITCH2 as the root bridge for VLAN2 and VLAN4, and the secondary root bridge for VLAN3 and VLAN5

Sw1-3 (config) # spanning-tree vlan 3 root primary

Sw1-3 (config) # spanning-tree vlan 5 root primary

Sw1-3 (config) # spanning-tree vlan 2 root secondary

Sw1-3 (config) # spanning-tree vlan 4 root secondary

Sw2-3 (config) # spanning-tree vlan 2 root primary

Sw2-3 (config) # spanning-tree vlan 4 root primary

Sw2-3 (config) # spanning-tree vlan 5 root secondary

Sw2-3 (config) # spanning-tree vlan 3 root secondary

6. Verify STP configuration

Sw3 (config) # show spanning-tree br

VLAN2

Name Port ID Prio Cost Sts Cost Bridge ID Port ID

FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0001 128.2

FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0001 128.2

VLAN3

Name Port ID Prio Cost Sts Cost Bridge ID Port ID

FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0002 128.2

FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0002 128.2

VLAN4

Name Port ID Prio Cost Sts Cost Bridge ID Port ID

FastEthernet0/1 128.2 128 19 BLK 12 16384 cc00.0cd8.0003 128.2

FastEthernet0/2 128.3 128 19 FWD 0 8192 cc00.07c8.0003 128.2

VLAN5

Name Port ID Prio Cost Sts Cost Bridge ID Port ID

FastEthernet0/1 128.2 128 19 FWD 0 8192 cc00.0cd8.0004 128.2

FastEthernet0/2 128.3 128 19 BLK 12 16384 cc00.07c8.0004 128.2

7. Configure the routing interface:

Sw1-3 (config) # in f0Let0

Sw1-3 (config-if) # no switchport turn off the switch function

Sw1-3 (config-if) # ip add 192.168.10.2 255.255.255.252

Sw1-3 (config-if) # no sh

Sw2-3 (config) # in f0Let0

Sw2-3 (config-if) # no switchport

Sw2-3 (config-if) # ip add 192.168.10.6 255.255.255.252

Sw2-3 (config-if) # no sh

8. Routing-related IP configuration:

R3#show ip in br

Interface IP-Address OK? Method Status Protocol

Serial0/0 192.168.10.9 YES manual up up

Serial0/1 202.0.0.1 YES manual up up

Serial0/2 unassigned YES unset administratively down down

Serial0/3 unassigned YES unset administratively down down

FastEthernet1/0 192.168.10.1 YES manual up up

FastEthernet2/0 192.168.10.5 YES manual up up

R4#show ip in br

Interface IP-Address OK? Method Status Protocol

Serial0/0 192.168.10.10 YES manual up up

Serial0/1 unassigned YES unset administratively down down

Serial0/2 unassigned YES unset administratively down down

Serial0/3 unassigned YES unset administratively down down

Loopback0 6.6.6.6 YES manual up up

R2#show ip in br

Interface IP-Address OK? Method Status Protocol

Serial0/0 201.0.0.1 YES manual up up

Serial0/1 202.0.0.2 YES manual up up

Serial0/2 unassigned YES unset administratively down down

Serial0/3 unassigned YES unset administratively down down

R1#show ip in br

Interface IP-Address OK? Method Status Protocol

Serial0/0 201.0.0.1 YES manual up up

Serial0/1 unassigned YES unset administratively down down

Serial0/2 unassigned YES unset administratively down down

Serial0/3 unassigned YES unset administratively down down

Loopback0 7.7.7.7 YES manual up up

Sw1-3#show ip in br

Protocol

Vlan2 192.168.1.1 YES manual up up

Vlan3 192.168.4.1 YES manual up up

Vlan4 192.168.5.1 YES manual up up

Vlan5 192.168.6.1 YES manual up up

Sw1-slave

Sw2-3#show ip in br

Protocol

Vlan2 192.168.1.2 YES manual up up

Vlan3 192.168.4.2 YES manual up up

Vlan4 192.168.5.2 YES manual up up

Vlan5 192.168.6.2 YES manual up up

9.OSPF configuration

Sw1-3 (config) # ip routing starts the routing function

Sw1-3 (config) # router ospf 100

Sw1-3 (config-router) # network 192.168.10.2 0.0.0.0 area 0

Sw1-3 (config-router) # network 192.168.1.1 0.0.0.0 area 0

Sw1-3 (config-router) # network 192.168.4.1 0.0.0.0 area 0

Sw1-3 (config-router) # network 192.168.5.1 0.0.0.0 area 0

Sw1-3 (config-router) # network 192.168.6.1 0.0.0.0 area 0

Sw2-3 (config) # router ospf 100

Sw2-3 (config-router) # network 192.168.10.6 0.0.0.0 area 0

Sw2-3 (config-router) # network 192.168.1.2 0.0.0.0 area 0

Sw2-3 (config-router) # network 192.168.4.2 0.0.0.0 area 0

Sw2-3 (config-router) # network 192.168.5.2 0.0.0.0 area 0

Sw2-3 (config-router) # network 192.168.6.2 0.0.0.0 area 0

Sw1-3#show ip route test

O 192.168.10.4/30 [110/2] via 192.168.6.2, 00:39:43, Vlan5

[110/2] via 192.168.5.2, 00:39:43, Vlan4

[110/2] via 192.168.4.2, 00:39:43, Vlan3

[110/2] via 192.168.1.2, 00:39:43, Vlan2

Sw2-3#show ip route

O 192.168.10.0 [110/2] via 192.168.6.1, 00:00:35, Vlan5

[110/2] via 192.168.5.1, 00:00:35, Vlan4

[110/2] via 192.168.4.1, 00:00:35, Vlan3

[110/2] via 192.168.1.1, 00:00:35, Vlan2

R3 (config) # router ospf 100

R3 (config-router) # network 192.168.10.1 0.0.0.0 area 0

R3 (config-router) # network 192.168.10.5 0.0.0.0 area 0

R3 (config-router) # network 192.168.10.9 0.0.0.0 area 1

R3 (config) # ip route 0.0.0.0 0.0.0.0 202.0.0.2 configure a static default route to access the external network.

R3 (config) # router ospf 100

R3 (config-router) # default-information originate announces a default route outward to the internal stub network router connected to it (this command is for stub networks)

R4 (config) # router ospf 100

R4 (config-router) # network 192.168.10.10 0.0.0.0 area 1

R4 (config-router) # network 6.6.6.6 0.0.0.0 area 1

Test (results of the default-intormation originate command)

R4#show ip route

O*E2 0.0.0.0 O*E2 0 [110ax 1] via 192.168.10.9, 00:00:18, Serial0/0 goes to the external default route

Sw1-3#show ip route

O*E2 0.0.0.0 O*E2 0 [110ax 1] via 192.168.10.1, 00:00:28, FastEthernet0/0 goes to the external default route

Sw2-3#show ip route

O*E2 0.0.0.0 O*E2 0 [110ax 1] via 192.168.10.5, 00:03:01, FastEthernet0/0 goes to the external default route

R1 (config) # router ospf 100

R1 (config-router) # network 7.7.7.7 0.0.0.0 area 2

R1 (config) # ip route 0.0.0.0 0.0.0.0 201.0.0.2

R3#show ip route test

6.0.0.0/32 is subnetted, 1 subnets

O 6.6.6.6 [110/65] via 192.168.10.10, 11:19:33, Serial0/0

O 192.168.4.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0

[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0

O 192.168.5.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0

[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0

O 192.168.6.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0

[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0

O 192.168.1.0/24 [110/2] via 192.168.10.6, 00:44:24, FastEthernet2/0

[110/2] via 192.168.10.2, 00:44:24, FastEthernet1/0

S* 0.0.0.0 via 0 [1Acer 0] 202.0.0.2

R4#show ip route

192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks

O IA 192.168.10.0/30 [110/65] via 192.168.10.9, 00:48:10, Serial0/0

O IA 192.168.10.4/30 [110/65] via 192.168.10.9, 13:45:10, Serial0/0

O 192.168.10.8/30 [110/128] via 192.168.10.9, 13:45:10, Serial0/0

7.0.0.0/32 is subnetted, 1 subnets

O IA 7.7.7.7 [110/11176] via 192.168.10.9, 11:22:27, Serial0/0

O IA 192.168.4.0/24 [110/66] via 192.168.10.9, 01:31:50, Serial0/0

O IA 192.168.5.0/24 [110/66] via 192.168.10.9, 01:31:40, Serial0/0

O IA 192.168.6.0/24 [110/66] via 192.168.10.9, 01:31:17, Serial0/0

O IA 192.168.1.0/24 [110/66] via 192.168.10.9, 01:32:05, Serial0/0

O*E2 0.0.0.0/0 [110/1] via 192.168.10.9, 00:00:18, Serial0/0

R2#show ip route

C 201.0.0.0/24 is directly connected, Serial0/0

C 202.0.0.0/24 is directly connected, Serial0/1

R1#show ip route

C 201.0.0.0/24 is directly connected, Serial0/0

7.0.0.0/24 is subnetted, 1 subnets

C 7.7.7.0 is directly connected, Loopback0

S* 0.0.0.0 via 0 [1Acer 0] 201.0.0.2

Sw1-3 (config) # ip route 0.0.0.0 0.0.0.0 192.168.10.1 150 prevent route entries from tampering, add one more default route entry, and use this one if the previous route entry fails. You can't see that goal in OK.

Sw2-3 (config) # ip route 0.0.0.0 0.0.0.0 192.168.10.5 150 prevent route entries from tampering

R4 (config) # ip route 0.0.0.0 0.0.0.0 192.168.10.9 150 prevent route entries from tampering

10.HSRP hot backup routing protocol configuration:

Sw1-3 (config) # in vlan 2

Sw1-3 (config-if) # no ip redirects turns off port redirection.

Sw1-3 (config-if) # standby 50 ip 192.168.1.254 configure HSRP members

Sw1-3 (config-if) # standby 50 priority 150 priority is 150

Sw1-3 (config-if) # standby 50 preempt configuration preemptive

Sw1-3 (config) # in vlan 3

Sw1-3 (config-if) # standby 47 ip 192.168.4.254 configure HSRP members

Sw1-3 (config-if) # standby47 priority 200Priority200

Sw1-3 (config-if) # no ip redirects turns off port redirection.

Sw1-3 (config-if) # standby 47 preempt configuration preemptive

Sw1-3 (config-if) # standby 47 track f0amp 0100 configure port tracking

Sw1-3 (config) # in vlan 4

Ssw1-3 (config-if) # standby 51 ip 192.168.5.254

Sw1-3 (config-if) # standby 51 priority 150

Sw1-3 (config-if) # standby 51 preempt

Sw1-3 (config-if) # no ip redirects

Sw1-3 (config) # in vlan 5

Sw1-3 (config-if) # no ip redirects

Sw1-3 (config-if) # standby 48 ip 192.168.6.254

Sw1-3 (config-if) # standby48 priority 200

Sw1-3 (config-if) # standby48 preempt

Sw1-3 (config-if) # standby 48 track f0amp 0 100

Sw2-3 (config) # in vlan 3

Sw2-3 (config-if) # standby 47ip 192.168.4.254

Sw2-3 (config-if) # no ip redirects

Sw2-3 (config-if) # standby 47 priority 150

Sw2-3 (config-if) # standby 47 preempt

Sw2-3 (config) # in vlan 2

Sw2-3 (config-if) # no ip redirects

Sw2-3 (config-if) # standby 50 ip 192.168.1.254

Sw2-3 (config-if) # standby 50 priority 200

Sw2-3 (config-if) # standby50 preempt

Sw1-3 (config-if) # standby 50 track f0amp 0 100

Sw2-3 (config) # in vlan 4

Sw2-3 (config-if) # no ip redirects

Sw2-3 (config-if) # standby 51 ip 192.168.5.254

Sw2-3 (config-if) # standb 51 priority 200

Sw2-3 (config-if) # standby 51 preempt

Sw1-3 (config-if) # standby 51 track f0amp 0 100

Sw2-3 (config) # in vlan 5

Sw2-3 (config-if) # no ip redirects

Sw2-3 (config-if) # standby 48ip 192.168.6.254

Sw2-3 (config-if) # standb 48 priority 150

Sw2-3 (config-if) # standb 48 preempt

Sw1-3#debug standby to view configuration results (method 1)

Sw1-configuration show standby br to view configuration results (method 2)

Interface Grp Prio P State Active Standby Virtual IP

Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254

Vl3 47 200 P Active local 192.168.4.2 192.168.4.254

Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254

Vl5 48 200 P Active local 192.168.6.2 192.168.6.254

Sw2-3#show standby br

Interface Grp Prio P State Active Standby Virtual IP

Vl2 50 200 P Active local 192.168.1.1 192.168.1.254

Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254

Vl4 51 200 P Active local 192.168.5.1 192.168.5.254

Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254

Sw1-3 (config) # in f0Let0

Sw1-3 (config-if) # sh shuts down the tracking interface. Test the conversion between master and standby

Sw1-3 (config) # do show stan br

Interface Grp Prio P State Active Standby Virtual IP

Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254

Vl3 47 100 P Standby 192.168.4.2 local 192.168.4.254

Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254

Vl5 48 100 P Standby 192.168.6.2 local 192.168.6.254

Sw2-3#show standby br

| |

Interface Grp Prio P State Active Standby Virtual IP

Vl2 50 200 P Active local 192.168.1.1 192.168.1.254

Vl3 47 150 P Active local 192.168.4.1 192.168.4.254

Vl4 51 200 P Active local 192.168.5.1 192.168.5.254

Vl5 48 150 P Active local 192.168.6.1 192.168.6.254

Sw1-3 (config) # in f0Let0

Sw1-3 (config-if) # no sh secondary boot tracking port

Sw1-configuration show standby br to view configuration results

Interface Grp Prio P State Active Standby Virtual IP

Vl2 50 150 P Standby 192.168.1.2 local 192.168.1.254

Vl3 47 200 P Active local 192.168.4.2 192.168.4.254

Vl4 51 150 P Standby 192.168.5.2 local 192.168.5.254

Vl5 48 200 P Active local 192.168.6.2 192.168.6.254

Sw2-3#show standby br

Interface Grp Prio P State Active Standby Virtual IP

Vl2 50 200 P Active local 192.168.1.1 192.168.1.254

Vl3 47 150 P Standby 192.168.4.1 local 192.168.4.254

Vl4 51 200 P Active local 192.168.5.1 192.168.5.254

Vl5 48 150 P Standby 192.168.6.1 local 192.168.6.254

The test succeeded:

12.NAT configuration (port multiplexing)

Method 1:

R3 (config) # access-list 1 permit 192.168.0.0 0.0.255.255 set the traffic of interest

R3 (config) # route-map fornat permit 10 build routing policy priority 10

R3 (config-route-map) # match ip add 1 grabs the traffic from listing 1.

R3 (config) # ip nat inside source route-map fornat interface s0ram 1 overload NAT port multiplexing conversion

Method 2:

R3 (config) # access-list 1 permit 192.168.0.0 0.0.255.255

R3 (config) # ip nat inside source list 1 interface s0amp 1 overload

R3 (config) # in s0can1

R3 (config-if) # ip nat outside

R3 (config) # in s0Let0

R3 (config-if) # ip nat inside

R3 (config) # in f1max 0

R3 (config-if) # ip nat inside

R3 (config) # in f2ap0

R3 (config-if) # ip nat inside

Sw2-3#ping 201.0.0.1 source 192.168.1.2 Test NAT configuration results

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.2

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 108 Universe 1932 ms

R3#show ip nat translations NAT conversion analysis

Pro Inside global Inside local Outside local Outside global

Icmp 202.0.0.1:4 192.168.1.2:4 201.0.0.1:4 201.0.0.1:4

Sw1-3#ping 201.0.0.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 156 Universe 200 ms

R3#show ip nat translations

Pro Inside global Inside local Outside local Outside global

Icmp 202.0.0.1:19 192.168.1.1:19 201.0.0.1:19 201.0.0.1:19

R4#ping 201.0.0.1 source 192.168.10.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.10

!

Success rate is 100 percent (5Compact 5), round-trip min/avg/max = 152 Universe 208Accord 284 ms

R3#show ip nat translations

Pro Inside global Inside local Outside local Outside global

Icmp 202.0.0.1:17 192.168.10.10:17 201.0.0.1:17 201.0.0.1:17

13. × × site-to-site configuration:

R3 (config) # crypto isakmp enable starts IKE negotiation

R3 (config) # crypto isakmp policy 10 establishes the IKE negotiation policy numbered "10"

R3 (config-isakmp) # hash md5 configure password authentication as "md5"

R3 (config-isakmp) # authentication pre-share configures the router to use a pre-shared key.

R3 (config-isakmp) # encryption des configures the algorithm used for encryption. "DES

R3 (config) # crypto isakmp key 0 qqq111, address 201.0.0.1 configure the password and peer IP address on the opposite side of the secure connection.

R3 (config) # crypto ipsec transform-set for*** esp-des esp-md5-hmac (configuring IPSec to use both AH and ESP protocols, using the transport mode name "for***", where AH authentication uses MD5 algorithm, ESP encryption uses DES algorithm. (AH can only be verified, not encrypted, while ESP can be encrypted and verified, but its function is worse than AH.)

R3 (cfg-crypto-trans) # exit

R3 (config) # crypto ipsec profile site2site specifies that sitetosit negotiate with the password keychain configured above

R3 (ipsec-profile) # set transform-set for*** specifies the use of transport mode

R3 (ipsec-profile) # exit

R3 (config) # in tunnel 0 enters virtual tunnel 0

R3 (config-if) # ip add 1.1.1.1 255.255.255.0 configure the IP address.

R3 (config-if) # tunnel source s0can1 virtual tunnel original interface

R3 (config-if) # tunnel destination 201.0.0.1 virtual tunnel destination address.

R3 (config-if) # tunnel protection ipsec profile site2site this tunnel applies to "site2site"

R3 (config-if) # no sh

R3 (config) # router ospf 100 declares this address.

R3 (config-router) # network 1.1.1.1 0.0.0.0 area 2

R3#show ip in br

Tunnel0 1.1.1.1 YES manual up up

R1 (config) # crypto isakmp enable

R1 (config) # crypto isakmp policy 10

R1 (config-isakmp) # hash md5

R1 (config-isakmp) # authentication pre-share

R1 (config-isakmp) # encryption des

R1 (config) # crypto isakmp key 0 qqq111, address 202.0.0.1

R1 (config) # crypto ipsec transform-set for*** esp-des esp-md5-hmac

R1 (cfg-crypto-trans) # exit

R1 (config) # crypto ipsec profile site2site

R1 (ipsec-profile) # set transform-set for***

R1 (ipsec-profile) # exit

R1 (config) # in tunnel 0

R1 (config-if) # ip add 1.1.1.2 255.255.255.0

R1 (config-if) # tunnel source s0Let0

R1 (config-if) # tunnel destination 202.0.0.1

R1 (config-if) # tunnel protection ipsec profile site2site

R1 (config-if) # no hs

R1 (config) # router ospf 100

R1 (config-router) # network 1.1.1.2 0.0.0.0 area 2

R1 (config-router) # exit

R1#show ip route tests learned routes

O IA 192.168.10.0 via 30 [110Compact 11112] 1.1.1.1, 00:00:11, routing entries learned by Tunnel0 through virtual tunnel

O IA 192.168.10.0/24 [110/11239] via 1.1.1.1, 00:00:11, Tunnel0

O IA 192.168.10.4/30 [110/11112] via 1.1.1.1, 00:00:11, Tunnel0

O IA 192.168.10.8/30 [110/11175] via 1.1.1.1, 00:00:11, Tunnel0

6.0.0.0/32 is subnetted, 1 subnets

O IA 6.6.6.6 [110/11176] via 1.1.1.1, 00:00:11, Tunnel0

7.0.0.0/24 is subnetted, 1 subnets

C 7.7.7.0 is directly connected, Loopback0

O IA 192.168.4.0/24 [110/11113] via 1.1.1.1, 01:43:30, Tunnel0

O IA 192.168.5.0/24 [110/11113] via 1.1.1.1, 01:43:21, Tunnel0

O IA 192.168.6.0/24 [110/11113] via 1.1.1.1, 01:42:58, Tunnel0

O IA 192.168.1.0/24 [110/11113] via 1.1.1.1, 01:43:46, Tunnel0

S* 0.0.0.0 via 0 [1Acer 0] 201.0.0.2

R1#show crypto engine connections active displays active data information

ID Interface IP-Address State Algorithm Encrypt Decryp

1 Tunnel0 1.1.1.2 set HMAC_MD5+DES_56_CB 0 0

2001 Tunnel0 201.0.0.1 set DES+MD5 0 46

2002 Tunnel0 201.0.0.1 set DES+MD5 42 0

The above indicates that the configuration is successful.

R3#show ip route

7.0.0.0/32 is subnetted, 1 subnets

O 7.7.7.7 [110/11112] via 1.1.1.2, 06:24:09, Tunnel0

Sw1-3#ping 7.7.7.7 source 192.168.1.1 Test whether the configuration is successful or not

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 212 Universe 402 + 584 ms

R4#ping 7.7.7.7 source 6.6.6.6

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:

Packet sent with a source address of 6.6.6.6

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 208 Universe 340 ms 448

R3#show ip nat translations views the list of NAT transformation analysis

R3#

Note: the above situation shows that × × is successful, and there is no content in the NAT conversion analysis list. That is because the ping package is connected through a virtual tunnel instead of NAT.

Sw1-3#ping 201.0.0.1 source 192.168.1.1 after the test configuration × × ×, the internal network accesses the public network

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!

Success rate is 100 percent (5 Success rate is 5), round-trip min/avg/max = 104 Universe 276 Universe 400 ms

R3#show ip nat translations

Pro Inside global Inside local Outside local Outside global

Icmp 202.0.0.1:21 192.168.1.1:21 201.0.0.1:21 201.0.0.1:21

Note: the above tests show that after the successful configuration of × ×, it does not affect each other with NAT, and the site communicates through a secure virtual tunnel, while the internal network accesses the external Internet and is converted by NAT to achieve a secure and efficient network structure.

The above configuration has another feature: when there is a new network segment in the internal network of the two sites, you only need to announce the new network segment, and the peer will quickly learn the routing entry, thus ensuring the connectivity of all network segments in the internal network of the two sites. This is as follows: after configuring × ×, the network connected to R1 has created a new network segment and is now enabling it to communicate securely with the peer internal network. The configuration is as follows:

R1 (config) # in lo1 configuration

R1 (config-if) # ip add 2.2.2.2 255.255.255.0

R1 (config-if) # no sh

R1 (config-if) # exit

R1 (config) # router ospf 100announcement

R1 (config-router) # network 2.2.2.2 0.0.0.0 area 2

Sw1-check show ip route view

2.0.0.0/32 is subnetted, 1 subnets

O IA 2.2.2.2 [110/11113] via 192.168.10.1, 06:56:05, FastEthernet0/0

Sw1-3#ping 2.2.2.2 source 192.168.1.1 Test

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.254

! Success

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 332 Universe 388 + 496 ms

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.