无色无味(杨波) 的Web Log(博客)
dynamips模拟器模块详细介绍
Google sites: http://google.ghitr.com/cisco/dynamips-mo-ni-qi-mo-kuai-xiang-xi-jie-shao
注意:保证你的IOS版本在12.2S以上,在模拟交换时候为了保证实验能成功.IOS版本在12.3以上
一:参数介绍
C7200
Slot 0:
C7200-IO-FE <——> 支持1个Fastethernet接口
C7200-IO-2FE <——> 支持2个 Fastethernet接口 (DynamipsGUI 2.3 里面没有这个选项,想用只有自己添加了)
C7200-IO-GE-E <——> 插这个卡以后会同时出现2个端口,Ethernet0/0和GigabitEthernet0/0 (反正我没有用到过这个卡)
注意:这三个卡只允许插在Slot0口,如果插入后面的slot口是无效的.
Slot 1-5:
PA-2FE-TX <——> 支持2个Fastethernet接口
PA-FE-TX <——> 支持1个Fastethernet接口
PA-4E <——> 支持4个Ethernet接口
PA-4T+ <——> 支持4个serial接口
PA-8E <——> 支持8个Ethernet接口
PA-8T <——> 支持8个serial接口
PA-A1 <——> 支持1个ATM port adapter接口
PA-GE <——> 支持1个GigabitEthernet接口
PA-POS-OC3 <——> 支持1个Packet Over SONET/SDH接口(用于更高速度的接口)
C3600(3620/3640/3660)
NM-16ESW <——> 支持16个Fastethernet接口(交换模块,在使用此模块做交换实验时候,请使用no ip routing 关闭端口路由)
NM-1E <——> 支持1个Ethernet接口
NM-1FE-TX <——> 支持1个Fastethernet接口
NM-4E <——> 支持4个Ethernet接口
NM-4T <——> 支持4个serial接口
Leopard-2FE <——>支持2个Fastethernet接口(3660专用,并且只能在slot 0 下使用)
注意:3620只能使用2个slot,3640可以使用4个slot,除Leopard-2FE模块做了限制,其他模块没有做限制插具体哪个slot.(DynamipsGUI里对slot已经做了限制,最近DynamipSeeV2.0已经发布了,但是里面不支持3660)
c3725/c3745/c2691
GT96100-FE <——>支持2个Fastethernet接口(只限制在slot 0)
NM-16ESW <——>支持16个Fastethernet接口(不做重复说明)
NM-1FE-TX <——>支持1个Fastethernet接口
NM-4T <——>支持4个serial接口
c2600(2610/2611/2620/2621/2610XM/2620XM/2650XM)
NM-16ESW <——> 支持16个Fastethernet接口
NM-1E <——> 支持1个Ethernet接口
NM-1FE-TX <——> 支持1个Fastethernet接口
NM-4E <——> 支持4个Ethernet接口
CISCO2600-MB-2E <——>支持2个Ethernet接口
CISCO2600-MB-2FE <——>支持2个Fastethernet接口
注>DynamipsGUI里的模块CISCO2600-MB-2E,CISCO2600-MB-2FE,并且只有2620类型可选
Dynamipsee里有2610/2611/2620/2621/2610XM/2620XM/2650XM类型选择.但没有2610/2611/2620/2621/2610XM/2620XM/2650XM
建议:找个小的IOS把2600模拟成主机用 C2600IOS
二:图形介绍
此模拟器可以自己选择加载IOS,能比较真实的再现硬件环境
首先我按图中序号对每个区域进行介绍:
①:此区域是选择交换机和路由器的个数(有点废话)
②:这个地方是选择设备类型,IOS路径,idle-p值NPE类型,虚拟(表示虚拟设备的RAM所占的内存大小,因为dynamips在模拟时候需要将主机的物理内存模拟成模拟设备的RAM)
③:此区域是配置分布式的dynamips的设置区域.这个区域暂时还用不到.④:这里可以选择一些不需要IOS的模拟设备。如:FrameRelay交换机ATM交换机,以太网交换机(现在已经有支持交换的模块NM-16ESW).由模拟器自己提这些功能.⑤:设备类型,选择你所需要模拟的设备,以上的设备为dynamips目前支持的类型,其他的都不支持.
⑥:这里可以设置连接到主机通信(下文详细介绍)
⑦:可以直接读取真实设备里的NVRAM里的配置文件(.ini格式)
⑧:输出目录(自己先建立).
根据上面这个拓扑来介绍,希望大家在弄懂基本东西以后,可以在举一反三吧.东西是活的,活学活用)
接下来,我从起始配置到最后开始实验在做逐步讲解.
1.首先选择根据上面这个拓扑图(建立在做实验的时候在草稿纸上画好拓扑图,注释好个端口设备的IP).我们来用dynamipsGUI来配置脚本文件(注意:现在的dynamipsGUI和dynamipsee都是可以视化的写dynamips的脚本程序.不是模拟器.有的初学者.总以为这两个程序是模拟器.真正的模拟器是dynamips).未安装的朋友请点下载好安装.点击桌面DynamipsGUI图标打开.
2.好了,打开以后,根据上面的图我们假设R1,R2,R3都使用3640,而R4使用7200.那么我们选择路由器个数为4,并选择桥接到PC.在⑤设备类型里钩选3640 和7200.如图:
3.在②设备配置区域里下拉选择7200,然后浏览选择你的IOS文件.(注意IOS在网上下载后,后缀名为BIN,大家需要将后缀名字改为RAR,然后在解压出来,这样在运行模拟设备时候就避免了再解压).接一下步是最让初学者感到困惑的地方.计算idle-pc值(idle-pc只为了解决在开启模拟设备时不至于你的CPU占有率达到100%,所以这个值对于能做好实验很重要).好.指定好IOS路径以后.我们点击计算idle-pc,确定IOS文件存在.之后在弹出窗口中按任意键继续.如图:
之后看到的就是设备的启动了(如同真实设备一样).然后在设备的用户模式下(Router#)下,先按组合键ctrl+] ,接着在单独按i键.记住不要三个键一起按.按完以后就是等待了.如图:
等待一会儿,出现下图:
看到下面出现一排值.这就是我们所需要的idle-pc值.那么这么多我们怎么选择呢?好!注意看count等于后面的数字.找到一个count最大值.然后记下前面的一串16进制数.例如上面这图.count=72,这个里面有两个72的值,我们同时记下这两个值.0×605c33fc 和0×605c345c.然后在回到dynamipsGUI界面.将0×605c33fc(或者0×605c345c)填入.(说一下这地方的原则:大家不要一味的相信最大值就是必须要选择的值.这要看情况而定.如果当你选择一个最大值,然后在后面开设备的时候却出现了CPU100%的情况,那么这个时候你就应该重新去计算idle-pc值,只到CPU占有率维持在一个正常值.我上面说的选取最大的count值是应该理解为从最大的count值开始去试.这样一直到找到一个合适的idle-pc值)
4.接下来是NPE类型这里 dynamipsGUI已经有默认值了.我们不需要在去设置它.而在虚拟内存这里dynamipsGUI作者也给出了各个类型模拟器的默认值.大家可以根据IOS的大小去更改.也要根据自己的物理内存而定.而后面的参数128 –disk0 4 ,128的意思是拿128MB的物理内存来作为虚拟设备的RAM, –disk0 4是dynamips的参数在说明文件中的解释为: –disk0 : Set PCMCIA ATA disk0: size.这是节省内存的参数.不过3600不支持这个参数.大家如果想深入研究可以读说明文档内容,如下:
The emulator currently supports the following platforms:
- Cisco 7200 (NPE-100 to NPE-400)
- Cisco 3600 (3620, 3640 and 3660)
- Cisco 2691
- Cisco 3725
- Cisco 3745
- Cisco 2600(2610/2611/2620/2621/2610XM/2620XM/2650XM)
To emulate another platform, use the “-P” command line option (for example,
“-P 3725″ or “-P 3600″).
For the 7200, you can change the NPE type with the “-t” option.
It is possible to select “npe-100″, “npe-150″, “npe-175″, “npe-200″,
“npe-225″, “npe-300″ and “npe-400″. The “npe-g1″ is not working.
For the 3600, a 3640 with 128 Mb is emulated by default. You can change this
with the “-t” option and by specifying “3620″ or “3660″.
Don’t forget to set the chassis type depending on your IOS image,
a c3660 image will not run on c3640 hardware and vice-versa.
Remark: PCMCIA card emulation is not supported yet with Cisco 3600.
还有一个要说明的,大家如果在以后碰到dynamipsGUI界面的虚拟碰到后面跟一个参数-X(注意为大写)比如96 –X 意思是不使用一个模拟的RAM文件,这样可以使用速度更快.原说明文档也有介绍:-X : Do not use a file to simulate RAM (faster)
我对新手的建议:关于NPE绾紊柚?大家在使用dynamipsGUI时就使用默认的.关于虚拟大小如何设置.主要还是根据你的IOS大小来定.dynamipsGUI也给了默认值.
5.接下来我要拿来单讲的就是这个寄存器的值了.很多人在做实验的时候都问,为什么copy run start以后.下次重新启动虚拟设备时.设置没有被保存.主要就是这个地方的设置问题了.学思科的人都清楚0×2142和0×2102了. 0×2142启动时是不从NVRAM读配置.而0×2102相反.因为dynamips默认是0×2142 所以我们需要在这个地方改为0×2102就可以了.然后在到虚拟的路由设备里面在show ver看看,你会发现寄存器的值0×2142(虽然我们这之前在dynamipsGUI已经配置过)但还是要重新在改一次寄存器的值才能最后的保存你的配置命令:config-register 0×2102
然后再配置在copy run start,再reload看看.你就会发现设置保存成功!
6.好的.上面已经把7200都配置好了.完了以后点寄存器下面的确定.3640也是一样(其它的设备也是如此配置)配置完后确定. OK!两个设备都配置完毕.接下来.哦还记得我上面的那个拓扑图吧。对,还有一个桥接到本地PC与我们自己的主机通信(我要说明一下.不一定非要桥接到PC.我这里是故意弄一个PC桥接,因为很多朋友这个地方搞不清楚).我们选择⑥区域里的下拉.选择NIC-O(dynamips可以支持多块网卡桥接),然后点击计算桥接参数.在弹出的界面里已经有很详细的说明.如图:
在这里我就不在重复了(免得说我罗嗦).只说一点.例如这张图中我们应该选择的是第三个网卡信息,即本地网卡信息而不应该选择第二个(是PPPOE拨号的).OK。如本图应该为: \Device\NPF_{36CC519A-AAF8-4C53-A9EC-7E0B88D917D6},记下网卡信息最好填到dynamipsGUI界面相应位置.好了.现在选择一个输出目录吧.下一步!! 6.这里就是确定设备名字和telnet端口还有各个slot模块信息.关于slot的模块可以参见我的帖子(下面我不在作模块介绍了):配置好每个设备点击确定配我也配置一下.首先是R4(7200)根据图中要求如图:
然后是3640 三个都是一样的
这里我解释一下界面下面的控制台输出(操作系统我不废话了,不会还有哪个连自己是什么系统不知道的),如果选择TCP输出则需要用telnet连接.推荐使用SecureCRT.如果是直接输出,就是不用telnet连接了,就是直接在窗口下输出CLI界面,就是”””(没办说清楚了,大家自己去用用看就知道了).完事!下一步。
7.根据拓扑连设备吧.我没什么好说的了.就是将拓扑图中各个相连的端口连起来(废话),我也连了一下.发个图.新手自己慢慢体会吧.呵呵(注:图中XPC就是主机)
最后完事点生成BAT文件.在到你的输出目录里去吧.生成的文件如图:
然后依次点R1.bat,R2,bat,R3,bat,R4.bat 意思是打开这四个模拟路由器!.
SecureCRT
然后就用SecureCRT连接了IP地址是:127.0.0.1 端口根据配置的console的值!
例如本教程中R1路由器端口设置的是2001 下面我们使用SecureCRT来登陆.
安装好SecureCRT 打开. 点在标签中建立连接
如下图:
点新会话看下图:
接着下图:
下一步如图:
接着在下一步就可以了,最后在连接就看到下图了:
采用最新的Dynamips-0.2.6-RC5的核心.
纠正了相关的BPDU的错误
加入了idlepc动态获取功能
集成了多个版本实验环境
安装目录可以任意选择,无需要固定在D盘
注:在网上很多发布所谓的超小内存版,其实就是使用较小的IOS软件某些功能不能够支持.而我们使用的是功能较全,IOS较小的,适中解决的办法.
具体使用请查看压缩包中的说明.doc文档文件
idlepc的新使用方法简介:
1.首先start R1
2.使用idlepc get R1命令获得idlepc值
3.待系统将idlepc计算完成并显示后,选择带有*号的值,此值为建议值
4.打开task manager(任务管理器)观察CPU的使用率
5.如果发现没有变化,使用idlepc show R1,重新选择,或使用idlepc get R1重计算
6.确定最佳的idlepc后,使用idlepc save R1 db保存此值.
7.其它的虚拟器只需要是相同的IOS的将自动采用此idlepc的值.
下载地址:
QUOTE:
ftp://www.edurainbow.com/Software/Dynamips/eduRainbow@Dynamips-0.2.6-RC5.rar
ftp://ciscoftp.njut.edu.cn/Software/Dynamips/eduRainbow@Dynamips-0.2.6-RC5.rar
ftp://ciscobbs.njut.edu.cn/Software/Dynamips/eduRainbow@Dynamips-0.2.6-RC5.rar
帐号:edurainbow
密码:cisco
.
.
.
.
.
*********************************************
Dynamips NPE类型取值
NPE = Network Processing Engine…..也就是说NPE就是7200的CPU…
其后的100,150,400代表路由器的主频…单位是MHZ…
所以NPE-400 就是主频为400MHZ的MIPS RISC CPU…….
补充一句….NPE也只有7200系列的才有….7500系列的我记得应该叫RSP才对……
为什么26,36没有NPE可选呢…因为这些低档机器的CPU已经焊到主板上了,换CPU的操作对我们这些初级工程师来说,难度太高了…….
模拟器UDP端口报错的解决方法
问题现象:
Reading configuration file…
*** Warning: Connecting R1 f0/0 to SW1 f1/5 resulted in:
206-unable to create UDP NIO
Error: lost communication with dynamips server localhost
It may have crashed. Check the dynamips server output.
Exiting…
Press ENTER to exit
问题原因
需要的UDP端口号已被其他程序占用(例如迅雷这个端口杀手,一开迅雷无数端口被占)
解决方法
请您打开net文件夹及其子文件夹,默认c:\program files\edurainbow\dynamips@edurainbow\net
用记事本打开net文件,将
[localhost]
port = 7200
udp = 10000
workingdir = ..\tmp\
中的
udp = 10000
修改为
udp = 11000
或其他未被使用的端口
注意,所有net文件都需要手工修改,CCIE-RS的net中包含3个localhost字段,均需修改成不同的端口号
稍后将编写自动修改程序,目前请您先手工修改
#########################################################
我的解决办法是:
关闭讯雷,然后打开CISCO模拟器程序,正常。
CCNP将在2009年末重大改版 考试费有望部分下调
51CTO记者从思科(中国)认证部门了解到,为了顺应CCIEv4.0,CCNP将在2009年末重大改版,更改时间为2009年圣诞节左右。
原有科目:
CCNP Prerequisites
Valid CCNA certification
CCNP Exams & Recommended Training
Required Exam(s) Recommended Training
642-901 BSCI Building Scalable Cisco Internetworks (BSCI)
642-812 BCMSN Building Cisco Multilayer Switched Networks (BCMSN)
642-825 ISCW Implementing Secure Converged Wide Area Networks (ISCW)
642-845 ONT Optimizing Converged Cisco Networks (ONT)
OR
Required Exam(s) Recommended Training
642-892 Composite Building Scalable Cisco Internetworks (BSCI)
Building Cisco Multilayer Switched Networks (BCMSN)
642-825 ISCW Implementing Secure Converged Wide Area Networks (ISCW)
642-845 ONT Optimizing Converged Cisco Networks (ONT)
CCNP此次改版考试科目和考试代号有重大调整;将完全跟上新版CCIE V4.0的潮流:
1、高级路由Route v1.0 考试编号:642-902 (跟之前的没多少变化,可能会把ISCW的部分内容往这里调)
2、多层交换Switch v1.0 考试编号:642-813 (基本上无多少变化 应该是把QOS放回来)
3、安全排错TShoot v1.0 考试编号:642-832 (这门顺应CCIE v4.0考试标准的2个小时排错)
消息称CCNP改版后考试费用将有部分下调,请大家继续关注。
| 1.00 | Implement Layer 2 Technologies | √ |
| 1.10 | Implement Spanning Tree Protocol (STP) | |
| (a) 802.1d | ||
| (b) 802.1w | ||
| (c) 801.1s | ||
| (d) Loop guard | ||
| (e) Root guard | ||
| (f) Bridge protocol data unit (BPDU) guard | ||
| (g) Storm control | ||
| (h) Unicast flooding | ||
| (i) Port roles, failure propagation, and loop guard operation | ||
| 1.20 | Implement VLAN and VLAN Trunking Protocol (VTP) | |
| 1.30 | Implement trunk and trunk protocols, EtherChannel, and load-balance | |
| 1.40 | Implement Ethernet technologies | |
| (a) Speed and duplex | ||
| (b) Ethernet, Fast Ethernet, and Gigabit Ethernet | ||
| (c) PPP over Ethernet (PPPoE) | ||
| 1.50 | Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control | |
| 1.60 | Implement Frame Relay | |
| (a) Local Management Interface (LMI) | ||
| (b) Traffic shaping | ||
| (c) Full mesh | ||
| (d) Hub and spoke | ||
| (e) Discard eligible (DE) | ||
| 1.70 | Implement High-Level Data Link Control (HDLC) and PPP | |
| 2.00 | Implement IPv4 | |
| 2.10 | Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM) | |
| 2.20 | Implement IPv4 tunneling and Generic Routing Encapsulation (GRE) | |
| 2.30 | Implement IPv4 RIP version 2 (RIPv2) | |
| 2.40 | Implement IPv4 Open Shortest Path First (OSPF) | |
| (a) Standard OSPF areas | ||
| (b) Stub area | ||
| (c) Totally stubby area | ||
| (d) Not-so-stubby-area (NSSA) | ||
| (e) Totally NSSA | ||
| (f) Link-state advertisement (LSA) types | ||
| (g) Adjacency on a point-to-point and on a multi-access network | ||
| (h) OSPF graceful restart | ||
| 2.50 | Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP) | |
| (a) Best path | ||
| (b) Loop-free paths | ||
| (c) EIGRP operations when alternate loop-free paths are available, and when they are not available | ||
| (d) EIGRP queries | ||
| (e) Manual summarization and autosummarization | ||
| (f) EIGRP stubs | ||
| 2.60 | Implement IPv4 Border Gateway Protocol (BGP) | |
| (a) Next hop | ||
| (b) Peering | ||
| (c) Internal Border Gateway Protocol (IBGP) and External Border Gateway Protocol (EBGP) | ||
| 2.70 | Implement policy routing | |
| 2.80 | Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER) | |
| 2.90 | Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced features | |
| 3.00 | Implement IPv6 | |
| 3.10 | Implement IP version 6 (IPv6) addressing and different addressing types | |
| 3.20 | Implement IPv6 neighbor discovery | |
| 3.30 | Implement basic IPv6 functionality protocols | |
| 3.40 | Implement tunneling techniques | |
| 3.50 | Implement OSPF version 3 (OSPFv3) | |
| 3.60 | Implement EIGRP version 6 (EIGRPv6) | |
| 3.70 | Implement filtering and route redistribution | |
| 4.00 | Implement MPLS Layer 3 VPNs | |
| 4.10 | Implement Multiprotocol Label Switching (MPLS) | |
| 4.20 | Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers | |
| 4.30 | Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite) | |
| 5.00 | Implement IP Multicast | |
| 5.10 | Implement Protocol Independent Multicast (PIM) sparse mode | |
| 5.20 | Implement Multicast Source Discovery Protocol (MSDP) | |
| 5.30 | Implement interdomain multicast routing | |
| 5.40 | Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR) | |
| 5.50 | Implement multicast tools, features, and source-specific multicast | |
| 5.60 | Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD) | |
| 6.00 | Implement Network Security | |
| 6.01 | Implement access lists | |
| 6.02 | Implement Zone Based Firewall | |
| 6.03 | Implement Unicast Reverse Path Forwarding (uRPF) | |
| 6.04 | Implement IP Source Guard | |
| 6.05 | Implement authentication, authorization, and accounting (AAA) (configuring the AAA server is not required, only the client-side (IOS) is configured) | |
| 6.06 | Implement Control Plane Policing (CoPP) | |
| 6.07 | Implement Cisco IOS Firewall | |
| 6.08 | Implement Cisco IOS Intrusion Prevention System (IPS) | |
| 6.09 | Implement Secure Shell (SSH) | |
| 6.10 | Implement 802.1x | |
| 6.11 | Implement NAT | |
| 6.12 | Implement routing protocol authentication | |
| 6.13 | Implement device access control | |
| 6.14 | Implement security features | |
| 7.00 | Implement Network Services | |
| 7.10 | Implement Hot Standby Router Protocol (HSRP) | |
| 7.20 | Implement Gateway Load Balancing Protocol (GLBP) | |
| 7.30 | Implement Virtual Router Redundancy Protocol (VRRP) | |
| 7.40 | Implement Network Time Protocol (NTP) | |
| 7.50 | Implement DHCP | |
| 7.60 | Implement Web Cache Communication Protocol (WCCP) | |
| 8.00 | Implement Quality of Service (QoS) | |
| 8.10 | Implement Modular QoS CLI (MQC) | |
| (a) Network-Based Application Recognition (NBAR) | ||
| (b) Class-based weighted fair queuing (CBWFQ), modified deficit round robin (MDRR), and low latency queuing (LLQ) | ||
| (c) Classification | ||
| (d) Policing | ||
| (e) Shaping | ||
| (f) Marking | ||
| (g) Weighted random early detection (WRED) and random early detection (RED) | ||
| (h) Compression | ||
| 8.20 | Implement Layer 2 QoS: weighted round robin (WRR), shaped round robin (SRR), and policies | |
| 8.30 | Implement link fragmentation and interleaving (LFI) for Frame Relay | |
| 8.40 | Implement generic traffic shaping | |
| 8.50 | Implement Resource Reservation Protocol (RSVP) | |
| 8.60 | Implement Cisco AutoQoS | |
| 9.00 | Troubleshoot a Network | |
| 9.10 | Troubleshoot a complex Layer 2 network issue | |
| 9.20 | Troubleshoot a complex Layer 3 network issue | |
| 9.30 | Troubleshoot a network in response to an application problem | |
| 9.40 | Troubleshoot network services | |
| 9.50 | Troubleshoot network security | |
| 10.00 | Optimize the Network | |
| 10.01 | Implement syslog and local logging | |
| 10.02 | Implement IP Service Level Agreement SLA | |
| 10.03 | Implement NetFlow | |
| 10.04 | Implement SPAN, RSPAN, and router IP traffic export (RITE) | |
| 10.05 | Implement Simple Network Management Protocol (SNMP) | |
| 10.06 | Implement Cisco IOS Embedded Event Manager (EEM) | |
| 10.07 | Implement Remote Monitoring (RMON) | |
| 10.08 | Implement FTP | |
| 10.09 | Implement TFTP | |
| 10.10 | Implement TFTP server on router | |
| 10.11 | Implement Switch-module Configuration Protocol (SCP) | |
| 10.12 | Implement HTTP and HTTPS | |
| 10.13 | Implement Telnet |
【编辑推荐】
交换机 背板带宽的一些说明
背板带宽,是交换机接口处理器或接口卡和数据总线间所能吞吐的最大数据量。一台交换机的背板带宽越高,所能处理数据的能力就越强,但同时设计成本也会上去。
但是,我们如何去考察一个交换机的背板带宽是否够用呢?显然,通过估算的方法是没有用的,我认为应该从两个方面来考虑:
1、)所有端口容量X端口数量之和的2倍应该小于背板带宽,可实现全双工无阻塞交换,证明交换机具有发挥最大数据交换性能的条件。
2、)满配置吞吐量(Mbps)=满配置GE端口数×1.488Mpps其中1个千兆端口在包长为64字节时的理论吞吐量为1.488Mpps。例如,一台最多可以提供64个千兆端口的交换机,其满配置吞吐量应达到 64×1.488Mpps = 95.2Mpps,才能够确保在所有端口均线速工作时,提供无阻塞的包交换。如果一台交换机最多能够提供176个千兆端口,而宣称的吞吐量为不到261.8Mpps(176 x 1.488Mpps = 261.8),那么用户有理由认为该交换机采用的是有阻塞的结构设计。
一般是两者都满足的交换机才是合格的交换机。
背板相对大,吞吐量相对小的交换机,除了保留了升级扩展的能力外就是软件效率/专用芯片电路设计有问题;背板相对小。吞吐量相对大的交换机,整体性能比较高。不过背板带宽是可以相信厂家的宣传的,可吞吐量是无法相信厂家的宣传的,因为后者是个设计值,测试很困难的并且意义不是很大。
对H3C的MSR20-21的一点点疑问
昨日去对人口中心的网络进行了调整。!
上级部门分配的IP为23.246.5.0/24.网关为23.246.5.254。
因内部有两个部门,要实现IP隔离! 所以我就在内部进行了子网划分 。
1.划出一个直连网段 23.246.5.252/30
2.划出一个128个地址的网段: 23.246.5.0/25
3.划出一个32个地址的小网段: 23.246.5.128/27
某市人口中心 网络调整方案
该中心为某市人口信息管理中心,经常需要与区县等人口办公室同步数据。还需与市政等相关部门交换信息。
二、现有网络状况
该中心采用两台H3C MSR20-31路由器,做为出口设备做NAT。因前一次网络架构时,用户方末向设计施工人员做到完整的交底,所以导致现在网络只能做单方向的访问,中心以外的其它办公室无法访问到中心内部的服务器。
本次调整的网络为党政网。上级部门为该中心分配了一个C段地址:23.246.5.0/24.网关为:23.246.5.254
三、整改目标
1.要求整个党政网为大内网,要做到任何一处的IP设备都能互访。
2.内部需要用VLAN根据办公室划分格局。
CCIE R&S Lab Equipment and IOS Version
CCIE R&S Lab Equipment and IOS Version.pdf(15.34K)
Lab Equipment and IOS
The lab exam tests any feature that can be configured on the equipment and the IOS versions indicated below. You may see more recent IOS versions installed in the lab, but you will not be tested on the new features of a release unless indicated below.
Version 3.0 (effective through October 17, 2009)
- 3725 series routers – IOS 12.4 mainline – Advanced Enterprise Services
- 3825 series routers – IOS 12.4 mainline – Advanced Enterprise Services
- Catalyst 3550 series switches running IOS version 12.2 – IP Services
- Catalyst 3560 Series switches running IOS version 12.2 – Advanced IP Service
Version 4.0 (effective begining October 18, 2009)
-
1841 series routers – IOS 12.4(T) – Advanced Enterprise Services
-
3825 series routers – IOS 12.4(T) – Advanced Enterprise Services
-
Catalyst 3560 Series switches running IOS version 12.2 – Advanced IP Services
网友利用漏洞对RIP动态路由协议的攻击(图)
此文为转载(http://www.56cto.com/html/Cisco/1/41686.html)
该贴发于安全中国和56cto网络技术站
(一) 网络结构图
(二) 配置RIP路由协议
在Router A上做如下RIP路由配置
Router(config)#int fastEthernet 0/0
Router(config-if)#ip address 192.168.145.173 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#version 2
Router(config-router)#network 1.0.0.0
Router(config-router)#network 2.0.0.0
Router(config-router)end
在Router B上做如下RIP路由配置
Router(config)#int fastEthernet 0/0
Router(config-if)#ip address 192.168.145.174 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#version 2
Router(config-router)#network 3.0.0.0
Router(config-router)#network 4.0.0.0
Router(config-router)end
在Router B 通过show ip route
如下图,路由表为
Network 1.0.0.0
Network 2.0.0.0
Network 3.0.0.0
Network 4.0.0.0
这是正常的路由表
(三) 抓包分析
在PC上通过wireshark抓包工具抓到如下的包
如下图,看NO. 6,为Router A发给Router B的路由更新包
红圈处为rip路由信息
把这些信息保存,用sniffer pro 4.7.5打开
点选 File→save→保存类型NA Sniffer (windows) 2.00x (*.cap)
(四) 第一次改包
用sniffer pro 4.7.5打开保存了的cap文件
点选decode,如下图
找到RIP路由信息的二进制代码处,右键选择 edit,如下图
如下图红圈处,将01 00 00 00 ff 00 00 00修改为 01 01 01 00 ff ff ff 00,即将1.0.0.0 255.0.0.0 改为 1.1.1.0 255.255.255.0;将02 00 00 00 ff 00 00 00修改为 02 02 02 00 ff ff ff 00,即将2.0.0.0 255.0.0.0 改为 2.2.2.0 255.255.255.0
在NO.6路由包处,右键点选取 Send Current frame,如下图
(五) 第一次攻击
填写发送次数,或者选择一直发送,如下图
这时查看Router B的路由表,路由表没有被撰改,再分析发送的数据包
(六) 再抓包分析
通过wireshark抓包获得如下信息
通过下图可以得到如下信息,RIP路由的数据包已经发送到了Router B,rip路由封装在udp 520数据包中,返回udp包的checksum错误
checksum:0xc60c [incorrect,should be oxc309]
再通过sniffer pro 4.7.5修改checksum,将oxc60c修改为oxc309
修改方法请参考上文,这里不再骜叙
(七) 再次攻击,攻击成功
通过sniffer pro 4.7.5将修改了的数据发送
在Router B 通过show ip route
如下图,路由表为
Network 1.1.1.0
Network 2..2.2.0
Network 1.0.0.0
Network 2.0.0.0
Network 3.0.0.0
Network 4.0.0.0
其中network 1.1.1.0,network 2.2.2.0就是撰改后路由表
这里我们得出结论
对于运行RIP动态路由协议路由器的路由表可以通过本文的办法对其随意撰改,造成其路由表紊乱,并足以使其网络中断
asa 简约配置手册
思科防火墙支持下列用户配置方式:
Console,Telnet,SSH(1.x 或者 2.0,2.0 为 7.x 新特性,PDM 的 http 方式(7.x
以后称为 ASDM)和 VMS的 Firewall Management Center。
支持进入 Rom Monitor模式,权限分为用户模式和特权模式,支持 Help,History
和命令输出的搜索和过滤。
注:Catalyst6500的 FWSM(防火墙服务模块 Firewall Service Module)没有物理
接口接入,通过下面CLI 命令进入:
Switch# session slot slot processor 1 (FWSM 所在 slot 号)
用户模式:
Firewall> 为用户模式,输入 enable 进入特权模式 Firewall#。特权模式下可以进
入配置模式,在 6.x 所有的配置都在一个全局模式下进行,7.x 以后改成和 IOS类似的
全局配置模式和相应的子模式。通过exit,ctrl-z 退回上级模式。
Cisco ASA Install CD v1.1
This install CD will install Cisco ASA on your HD and run it without CD.
The install works in fully native mode and in virtualized (vmware, qemu etc..).
ASA will see 256mb flash (which is HD) and you can save the configuration files.
For any further info see the included readme file.
DownForm:
http://rapidshare.com/files/146672236/asa_install_v1.1.rar.html
Welcome to Project ASA installation!
For the HD installation you need:
* 256 MB ram minimum
* empty HD of at least 550MB in size
* HD that is set as PRIMARY MASTER
* CD-ROM
* 400 MHz or faster computer (slower should work but it’s useless)
* maximum 30 minutes of time
Hardware information:
This release is tested on Fujitsu Siemens Scenic xB which have:
1GHz Celeron P3 CPU
256MB RAM
2.2GB HD
And ASA took about 20 minutes to install but it worked perfectly, the integrated nic is recognized as Intel/Pro 100 and there was another (also Intel/pro 100) one in PCI port which also got recognized.
That worked perfectly and i got full 100 mbits transfer in nat trough the router.
show cpu showed up to 87% cpu usage on machine.
The other machine i tested was Compaq Deskpro EN and that machine didn’t worked. The ASA simply got rebooted over and over. I didn’t had NULL-MODEM cable to see what the problem is, but i’m sure that lina crashes and makes the system restart itself.
The next (2.x) release should have a large number of supported nics – almost all possible.
Cisco ASA information
* When you install Cisco ASA it will have the ip 192.168.1.1/24, so just set your computer to 192.168.1.2 / 255.255.255.0 and you will be able to telnet into the ASA (type telnet 192.168.1.1) – i recommend using putty. The telnet password is "ciscoasa", and enable password is blank. There may be problem with ssh not storing the crypto key but i didn’t look much at it since telnet works.
* The configuration is 256MB Flash that ASA sees which is in fact HD
* Configuration is NOT saved with "wr mem" but with "copy run disk0:/.private/startup-config"
* COM1 port where the console output is is configured on "115200n81" parameters
www:
http://asa_project.gromnet.net/
EZVPN LABS-(3)Cisco IOS Easy VPN Remote with Clien
因正在做用sdm 做EZVPN实验。结果百度到这篇文章!
但我没有测试成功!
但至少知道了一点:区分大小写!
EZVPN LABS-(3)Cisco IOS Easy VPN Remote with Client Mode and Split Tunneling
Split Tunneling(隧道分离)技术主要是用来区分流量的,那区分什么流量呢?在本实验中主要是用来区分去往Internet的流量和要通过VPN加密传输的流量。在实验中我们先不采用隧道分离技术,我们能看到Client端在成功建立VPN连接后,不能访问Server端的内部网络,也不能访问Internet了,要解决这个问题,为了达到Client端能同时访问Server端的内部网络和Internet网络的效果我们应该如何解决呢?那就往下看吧!
2) 实验环境
本人使用Dynamips模拟了两台3640的路由器和一台7200的路由器,IOS版本分别为c7200-advsecurityk9-mz.124-11.T和c3640-ik9o3s-mz.124-10。把一台7200(ISP)的以太网接口和一台3640(EZVPN-Client)分别桥接到了物理的网卡上和真实的主机相连。具体的拓扑结构和IP地址划分如下:
具体的.net文件如下:
autostart = false
[localhost]
port = 7200
udp = 10000
workingdir = ../tmp/
[[router R1]]
image = ../ios/unzip-c3640-ik9o3s-mz.124-10.bin
model = 3640
console = 3001
ram = 128
confreg = 0×2142
exec_area = 64
mmap = False
slot1 = NM-4T
slot0 = NM-1FE-TX
s1/2 = R3 S1/0
f0/0 = NIO_udp:30000:127.0.0.1:20000
[[router R2]]
image = ../ios/unzip-c3640-ik9o3s-mz.124-10.bin
model = 3640
console = 3002
ram = 128
confreg = 0×2142
exec_area = 64
mmap = False
slot1 = NM-4T
slot0 = NM-1FE-TX
s1/2 = R3 S1/1
f0/0 = NIO_gen_eth:/Device/NPF_{A6FCF818-D943-4CC2-B462-085AF2946D71}
[[router R3]]
image = ../ios/unzip-c7200-advsecurityk9-mz.124-11.T.bin
model = 7200
console = 3003
npe = npe-400
ram = 128
confreg = 0×2142
exec_area = 64
mmap = false
slot0 = PA-C7200-IO-FE
slot1 = PA-4T
f0/0 = SW1 1
[[ethsw SW1]]
1 = dot1q 1
2 = access 1 NIO_gen_eth:/Device/NPF_{3A6BB436-2962-4893-8335-211D3AE3471C}
3) 实验的目的
通过使用Split Tunneling技术,使Client端内网的VPC能同时访问Server端内部网络和Internet网的WEB服务器。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令以达到Server端和Clinet端能正常访问Internet WEB服务器的效果,并用ping测试。
EZVPN-Server的基本配置
interface serial 1/2
ip address 220.1.3.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
no keepalive
no shutdown
exit
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
EZVPN-Client的基本配置
interface serial 1/2
ip address 220.1.1.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
ISP的基本配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0
no shutdown
exit
interface serial 1/1
ip address 220.1.1.1 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0
no shutdown
exit
在EZVPN-Client(PC)进行测试:
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=248ms TTL=126
Reply from 220.1.2.2: bytes=32 time=44ms TTL=126
Reply from 220.1.2.2: bytes=32 time=80ms TTL=126
Reply from 220.1.2.2: bytes=32 time=562ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 562ms, Average = 233ms
测试结果表明Client端内网用户通过NAT技术能够正常访问Internet WEB服务器。
在EZVPN-Server(VPC)进行测试:
VPCS 1 >ping 220.1.2.2
220.1.2.2 icmp_seq=1 time=166.000 ms
220.1.2.2 icmp_seq=2 time=208.000 ms
220.1.2.2 icmp_seq=3 time=47.000 ms
220.1.2.2 icmp_seq=4 time=165.000 ms
220.1.2.2 icmp_seq=5 time=147.000 ms
测试结果表明Server端内网用户通过NAT技术能够正常访问Internet WEB服务器。
5) Easy VPN For Split Tunneling的配置
EZVPN-Server的配置(不启用split tunneling)
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 30
aaa authorization network vpn-group local
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exit
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exit
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exit
crypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map
interface serial 1/2
crypto map ClientMap
exit
crypto isakmp keepalive 20 10
EZVPN-Clinet的配置
crypto ipsec client ezvpn test-Client
group test key VPNKEY
peer 220.1.3.2
mode client
connect auto
username cisco password cisco
xauth userid mode local
exit
interface serial 1/2
crypto ipsec client ezvpn test-Client
exit
interface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside
exit
在EZVPN-Client端测试
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.200
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 220.1.3.2
我们看见VPN建立成功,接下来到PC上测试
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
这个时候我们发现Client端内部的PC即不能访问Server端内网也不能访问外网了,这是为什么呢?那我们先来看看为什么不能访问外网。
首先我们在Client端内部的PC上使用tracert命令跟踪一下数据包
C:/Documents and Settings/cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops
1 13 ms 51 ms 64 ms 192.168.10.1
2 242 ms 160 ms 107 ms 220.1.3.2
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
我们可以看见去往外网的下一跳为220.1.3.2,这个地址刚好是Server端的公网IP地址,而并没有走正常的NAT,造这个问题的原因正是应为没有启用隧道分离,Client端路由器把所有的数据包都放到隧道当中传输了。为了解决这个问题我们在Server端路由器上加入如下命令启用隧道分离。
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
acl 100
接下来在Client端重新建立VPN连接并测试。
clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
应为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.201
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0×0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 220.1.3.2
可以看见隧道建立成功并启用隧道分离,让我在到Client端的PC上测试
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=361ms TTL=126
Reply from 220.1.2.2: bytes=32 time=102ms TTL=126
Reply from 220.1.2.2: bytes=32 time=43ms TTL=126
Reply from 220.1.2.2: bytes=32 time=305ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 361ms, Average = 202ms
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
从测试结果上来看我们解决了上外网的问题,但是为什么还是不能访问Server端内部网络呢?我们在Client端使用show ip nat translation
EZVPN-Client#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.201:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512
从show命令当中我们发现当我们发送数据包去往10.1.1.0段时,Client端路由器进行了PAT地址翻译,这个刚好符合我们前面所讲过的client模式下EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT的原理。那也证明我们去网10段是没有问题的了,那问题是不是出在Server端呢,是不是因为Server端不能正常的把数据包送回来而导致Client端PC不能访问Server端内部网络呢?
我们先看看Server端路由有没有问题
EZVPN-Server#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 220.1.3.0/24 is directly connected, Serial1/2
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.201 [1/0] via 220.1.1.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
我们发现去往172.16.1.0段的路由存在,路由没有问题,那问题出现在哪里呢?我们再回想一下我们在Server端的配置,为了能够实现Server端内部主机能够访问Internet,我们在Server端路由器上配置了NAT,配置命令如下:
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
我们发现访问控制列表1中定义了源地址为10.1.1.0的所有主机都要被翻译出去,也就是说当Server端内部主机想要回应172.16.1.0这个段的主机时,回应数据包在进入Server端路由器时因为满足被翻译的条件,所以就不能被送回给172.16.1.0的主机了,那我们怎么解决呢,我的解决办法就是修改访问控制列表1,首先把访问控制列表1删除,然后定义扩展访问控制列表111,指定原地址为10.1.1.0的到达目的地址为172.16.1.0的数据包不要被NAT翻译,其它所有数据包都将被翻译,具体命令如下:
no access-list 1
no ip nat inside source list 1 interface serial 1/2 overload
access-list 111 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 permit ip any any
ip nat inside source list 111 interface serial 1/2 overload
修改完配置命令并重置VPN连接后,我们再到Client端的PC上来做测试。
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124
Reply from 10.1.1.2: bytes=32 time=319ms TTL=124
Reply from 10.1.1.2: bytes=32 time=344ms TTL=124
Reply from 10.1.1.2: bytes=32 time=270ms TTL=124
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=340ms TTL=126
Reply from 220.1.2.2: bytes=32 time=161ms TTL=126
Reply from 220.1.2.2: bytes=32 time=159ms TTL=126
Reply from 220.1.2.2: bytes=32 time=268ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 159ms, Maximum = 340ms, Average = 232ms
我们发现这个时候我们既能访问Server端内部网络又能访问外网了,哈哈实验结束!
6) 实验扩展
接着这个实验平台我们再来看看Easy VPN Remote With Network-extension
Mode下使用Split Tunneling。
EZVPN-Server的配置(同样先不启用split tunneling)
interface serial 1/2
ip address 220.1.3.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
no keepalive
no shutdown
exit
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 30
aaa authorization network vpn-group local
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exit
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exit
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exit
crypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map
interface serial 1/2
crypto map ClientMap
exit
crypto isakmp keepalive 20 10
EZVPN-Client的配置
interface serial 1/2
ip address 220.1.1.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
crypto ipsec client ezvpn test-Client
group test key VPNKEY
peer 220.1.3.2
mode network-extension
connect auto
username cisco password cisco
xauth userid mode local
exit
interface serial 1/2
crypto ipsec client ezvpn test-Client
exit
interface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside
exit
ISP的配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0
no shutdown
exit
interface serial 1/1
ip address 220.1.1.1 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0
no shutdown
exit
接下来到Client路由器上检查VPN建立情况。
EZVPN-Client#show crypt ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 220.1.3.2
在Server端查看路由表。
EZVPN-Server#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 220.1.3.0/24 is directly connected, Serial1/2
S 192.168.10.0/24 [1/0] via 220.1.1.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
在网络扩展模式中应为不需要PAT,所以VPN连通后就相当与一个内部局域网,所以在show crypto ipsec client ezvpn结果中没有看到从服务器端地址池中获取到的IP地址因为现在不需要了。那这个时候Server端如何访问Client端的网络呢,因为在Server端配置了Revers-route,Server上会自动创建指向Remote内部网络的静态路由。 接下来我们在Client端的PC上测试连通性。
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=149ms TTL=126
Reply from 220.1.2.2: bytes=32 time=124ms TTL=126
Reply from 220.1.2.2: bytes=32 time=127ms TTL=126
Reply from 220.1.2.2: bytes=32 time=149ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 124ms, Maximum = 149ms, Average = 137ms
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
我们发现Client端PC能正常访问Internet但不能通过VPN访问Server端内网。为什么呢?我们在PC机上跟踪一下数据包。
C:/Documents and Settings/cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops
1 88 ms 47 ms 46 ms 192.168.10.1
2 80 ms 100 ms 184 ms 220.1.1.1
3 72 ms 81 ms 236 ms 220.1.2.2
Trace complete.
C:/Documents and Settings/cx>tracert 10.1.1.2
Tracing route to 10.1.1.2 over a maximum of 30 hops
1 16 ms 27 ms 46 ms 192.168.10.1
2 132 ms 50 ms 70 ms 220.1.1.1
3 220.1.1.1 reports: Destination host unreachable.
Trace complete.
通过跟踪发现他们出去的下一跳地址都是220.1.1.1,就是说数据包都没有经过VPN隧道传输,而是直接走了PAT,通过在Client端show ip nat translation得以证明。
EZVPN-Client#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 220.1.1.2:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512
icmp 220.1.1.2:512 192.168.10.2:512 220.1.2.2:512 220.1.2.2:512
所以能ping通Internet WEB就很正常了,但是ping 10.1.1.2的数据包由于被送到了ISP路由器,而ISP路由器上没有到达10.1.1.0网段的路由,所以返回目的地不可达的回应。那怎么解决这个问题呢,可能这个时候我们想到那就用隧道分离不就可以了吗?那我们来试试看,首先在Server端加上隧道分离的命令,如下:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
acl 100
接下来在Client端重新建立VPN连接并测试。
clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
应为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离
EZVPN-Client#show crypt ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0×0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 220.1.3.2
我们看见隧道分离建立成功,接下来在PC端测试。
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
测试结果还是目的不可达,为什么呢?这里我个人是这样理解的,首先我们在服务器和客户端上都启用了NAT功能,当Easy VPN Client工作在Easy VPN Remote Client模式下时,EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT,这个时候Easy VPN Client自动创建的PAT要优先于我们手动配置的NAT,当不匹配PAT时再匹配NAT,所以Client模式下默认EZVPN-Client端内网的PC ping不通外网,因为所有的数据包都被送到隧道里面去了,并没有送到外网,所以当启用隧道分离后就能解决这个问题了。而当Easy VPN Client工作在Easy VPN Remote network-extension模式下时,EZVPN-Client不需要创建PAT,当VPN连通后就相当与一个内部局域网。这个时候在EZVPN-Client端上只有一个我们手动配置的NAT,所以当数据包进入路由器的时候,还没有来得及把数据包送到隧道里面就先被NAT翻译出去了,所以也就导致在这个模式下,能ping通外网WEB,但不能ping通对端内网的PC。这个时候即使我们在服务器上启用了隧道分离技术也没有用,因为数据包先被NAT出去了。要解决这个问题我们只能在EZVPN-Client上更改NAT的配置,告诉NAT哪些数据包要NAT出去,哪些不要被NAT,并把EZVPN-Server上有关隧道分离的命令删除,具体修改配置如下:
EZVPN-Server端
no access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
no acl 100
EZVPN-Client端
no access-list 1 permit 192.168.10.0 0.0.0.255
access-list 111 deny ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit ip any any
ip nat inside source list 111 interface serial 1/2 overload
在Client端PC机上测试。
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124
Reply from 10.1.1.2: bytes=32 time=319ms TTL=124
Reply from 10.1.1.2: bytes=32 time=344ms TTL=124
Reply from 10.1.1.2: bytes=32 time=270ms TTL=124
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms
我自己
