取消
显示结果 
搜索替代 
您的意思是: 
cancel
3289
查看次数
0
有帮助
5
评论
Kagamigawa
Spotlight
Spotlight
硬件平台: I3-7100U 8G/2400 64GmstatSSD
宿主系统:esx 6.7
路由系统固件:csr1000v-universalk9.16.09.03.SPA.bin
没有写说明的IKEv2/IPsec DMVPN 和OSPFv2、BGP 这三个协议/(协议族)是用于做什么的可以等小伙伴猜想下
====================================================以下===========================================================
version 16.9
service timestamps debug datetime localtime //让debug的时间戳变成当前时间
service timestamps log datetime localtime //让log的时间戳变成当前时间
service password-encryption //自身密码加密
!
hostname gateway //设置系统名称
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.09.03.SPA.bin //更新系统固件
boot-end-marker
!
logging console notifications //打开控制台日志提示级别6
enable secret 5 $1$YBp/$JbbIgwH7OoaaSQ5cZm6kU/ //设置15级提权密码
!
aaa new-model //开启三A
!
aaa authentication login default local //本地登入认证默认走本地账户
aaa authentication ppp default local //LNC拨入默认走本地账户
!
clock timezone CST 8 0 //设置时区为北京标准时间
!
ip nbar http-services //开启流量分类
ip name-server 8.8.8.8 //指定域名服务器8.8.8.8
ip host gateway.local 192.168.0.1 //设置网关FQDN
ip host vmware.local 192.168.0.100 //设置网关后台FQDN
ip domain name local //设置域名
ip ddns update method 3322 //开启动态域名解析
HTTP
add http://马赛克:马赛克/nic/update?system=dyndns&hostname=&myip=
interval maximum 0 0 1 0
interval minimum 0 0 1 0
!
ip dhcp excluded-address 192.168.0.1 192.168.0.100 //排除DHCP池地址
ip dhcp excluded-address 192.168.1.1 192.168.1.100 //排除DHCP池地址
ip dhcp pool LAN //设置DHCP池地址本地用户
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
ip dhcp pool l2tp-pool //设置DHCP池地址LNC用户
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
login on-success log //开启登录日志提示
!
vpdn enable
!
vpdn-group l2tpv2 //虚拟拨号网络允许L2TP拨入
Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
spanning-tree mode mst //开启生成树及其特性
spanning-tree extend system-id
spanning-tree mst 0 priority 24576
username Chloe password 7 097D5F5X4C534647525F507X //设置本地账户名
!
bridge-domain 1 //配置LAN口
member GigabitEthernet6 service-instance 1
member GigabitEthernet2 service-instance 1
member GigabitEthernet3 service-instance 1
member GigabitEthernet4 service-instance 1
member GigabitEthernet5 service-instance 1
!
crypto ikev2 proposal DMVPN
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy DMVPN
proposal DMVPN
crypto ikev2 keyring DMVPN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key 马赛克
crypto ikev2 profile DMVPN
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local DMVPN
!
lldp run //开启链路层邻居发现
cdp run //开启邻居发现
!
crypto isakmp policy 1 //创建ikev1策略
encr aes 256 //加密算法AES256
hash md5 //散列算法md5
authentication pre-share //加密方式 使用预共享密钥
group 14 //DH分组
crypto isakmp key 马赛克 address 0.0.0.0 //预共享密钥 XXXX
crypto ipsec transform-set l2tp esp-aes 256 esp-md5-hmac //设置ipsec的转换集,使用ESP加密和散列数据包荷载时的算法
mode transport //使用传输模式
crypto ipsec profile DMVPN
set ikev2-profile DMVPN
crypto dynamic-map l2tp 1 //创建map,匹配转换集
set transform-set l2tp
crypto map l2tp 1 ipsec-isakmp dynamic l2tp
!
interface Tunnel0
description VPN-interface
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 马赛克
ip nhrp map 192.168.2.254 95.179.242.141
ip nhrp map multicast 95.179.242.141
ip nhrp network-id 1
ip nhrp nhs 192.168.2.254
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
ip ospf 110 area 0
tunnel source Dialer1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet1 //用于PPPoE拨号的接口
no ip address
negotiation auto
pppoe enable group global
cdp enable
pppoe-client dial-pool-number 1
interface GigabitEthernet2 //LAN口
no ip address
negotiation auto
cdp enable
service instance 1 ethernet
encapsulation untagged
interface GigabitEthernet3 //LAN口
no ip address
negotiation auto
cdp enable
service instance 1 ethernet
encapsulation untagged
interface GigabitEthernet4 //LAN口
no ip address
negotiation auto
no mop sysid
service instance 1 ethernet
encapsulation untagged
interface GigabitEthernet5 //LAN口
no ip address
negotiation auto
cdp enable
service instance 1 ethernet
encapsulation untagged
interface GigabitEthernet6 //LAN口
no ip address
negotiation auto
service instance 1 ethernet
encapsulation untagged
!
interface Virtual-Template1 //L2TP拨号模板
ip address 192.168.1.1 255.255.255.0 //配置网关地址
ip nat inside //配置NAT
ip ospf 110 area 0
peer default ip address dhcp-pool l2tp-pool //关联DHCP池
ppp authentication chap eap ms-chap ms-chap-v2 pap //开启全部认证方式
!
interface Dialer1 //PPPoE拨号接口
description WAN //描述
ip ddns update hostname XXXf3322.net //开启DDNS动态域名解析
ip ddns update 3322 host members.3322.net
ip address negotiated //地址自动协商
ip nat outside //开启NAT
encapsulation ppp //链路层分装PPP
ip tcp adjust-mss 1452 //调整TCP荷载大小为1518-18-8-20-20=1452
dialer pool 1 //使用拨号池1
ppp pap sent-username 马赛克 password 7 091D1C5A4D50414553 //ISP的账户名密码
ppp ipcp route default //获取缺省路由
crypto map l2tp //调用crypto map
ip virtual-reassembly max-reassemblies 1024 //防止分片攻击
!
interface BDI1 //LAN口
description LAN //描述
ip address 192.168.0.1 255.255.255.0 //配置本地用户网关地址
ip nat inside //开启NAT
ip nbar protocol-discovery //开启流量识别
ip ospf 110 area 0
arp timeout 60 //arp超时
!
router ospf 110
router-id 192.168.2.1
!
router bgp 64512
template peer-policy iBGP
soft-reconfiguration inbound
send-community both
exit-peer-policy
template peer-session iBGP
remote-as 64512
update-source Tunnel0
exit-peer-session
bgp router-id 192.168.2.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.2.254 inherit peer-session iBGP
address-family ipv4
neighbor 192.168.2.254 activate
neighbor 192.168.2.254 inherit peer-policy iBGP
exit-address-family
!
ip nat inside source list 1 interface Dialer1 overload //PAT内部源转换
!
ip http server //开启HTTP
ip http authentication local //HTTP本地认证
ip http secure-server //开启HTTPS
ip tftp source-interface BDI1 //TFTP源使用BDI接口
!
ip dns server //指定自身可为DNS转发
!
access-list 1 permit 192.168.0.0 0.0.0.255 //访问控制列表匹配本地用户
access-list 1 permit 192.168.1.0 0.0.0.255 //访问控制列表匹配LNC用户
!
line vty 0 4
exec-timeout 3600 0 //超时
transport input all //允许登入协议
!
ntp master 1 //指定自身可作为NTP服务器
ntp server cn.pool.ntp.org //指定远端服务器地址
!

end
===========================================================show==============================================================
gateway#sh ip route
S* 0.0.0.0/0 [1/0] via 4X.11X.72.1
8.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B 8.8.4.0/24 [200/0] via 192.168.2.254, 1d06h
B 8.8.8.0/24 [200/0] via 192.168.2.254, 1d06h
B 8.34.208.0/21 [200/0] via 192.168.2.254, 1d06h
B 8.34.216.0/21 [200/0] via 192.168.2.254, 1d06h
B 8.35.192.0/21 [200/0] via 192.168.2.254, 1d06h
B 8.35.200.0/21 [200/0] via 192.168.2.254, 1d06h
23.0.0.0/8 is variably subnetted, 5 subnets, 5 masks
B 23.228.128.0/18 [200/0] via 192.168.2.254, 1d06h
B 23.228.128.0/21 [200/0] via 192.168.2.254, 1d06h
B 23.236.48.0/20 [200/0] via 192.168.2.254, 1d06h
B 23.251.128.0/19 [200/0] via 192.168.2.254, 1d06h
B 23.255.128.0/17 [200/0] via 192.168.2.254, 1d06h
34.0.0.0/8 is variably subnetted, 14 subnets, 3 masks
B 34.64.0.0/11 [200/0] via 192.168.2.254, 1d06h
B 34.64.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.68.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.72.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.76.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.80.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.84.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.88.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.92.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.96.0.0/12 [200/0] via 192.168.2.254, 1d06h
B 34.96.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.100.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.104.0.0/14 [200/0] via 192.168.2.254, 1d06h
B 34.108.0.0/14 [200/0] via 192.168.2.254, 1d06h
35.0.0.0/8 is variably subnetted, 92 subnets, 8 masks
B 35.184.0.0/13 [200/0] via 192.168.2.254, 1d06h
B 35.184.0.0/19 [200/0] via 192.168.2.254, 1d06h

--More--

评论
one-time
Level 13
Level 13
非常感谢您的分享!:handshake
wuhao0015
Spotlight
Spotlight
本帖最后由 wuhao0015 于 2019-6-10 13:58 编辑
你的许可这么搞的呢?默认性能很低的。CSR1KV对资源要求还是很高的,尤其是内存要求。
你到国外搭了个梯子(DMVPN),远端L2TP,拨入可以顺梯子出去。
L2TP不好用,终端访问国内的流量也需要通过网关出去了。。
IPSEC的梯子很容易被办的。。。
Kagamigawa
Spotlight
Spotlight
本帖最后由 zylccna2015 于 2019-6-10 16:35 编辑
wuhao0015 发表于 2019-6-10 12:40
你的许可这么搞的呢?默认性能很低的。CSR1KV对资源要求还是很高的,尤其是内存要求。
你到国外搭了个梯子 ...

梯子是IKEv2 + DMVPN+BGP搭的 之前IKEv1可能会有问题,梯子对端一样CSR1000v 内存4G就够了啊,至于许可证上AX2.5G全feature 60天换一轮
Kagamigawa
Spotlight
Spotlight
wuhao0015 发表于 2019-6-10 12:40
你的许可这么搞的呢?默认性能很低的。CSR1KV对资源要求还是很高的,尤其是内存要求。
你到国外搭了个梯子 ...

并不是所有流量都走梯子,我在BGP 里重分布了所有google等公司的ASN中的前缀,这个可以在bgp toolkit官网查到
Yuan Li
Spotlight
Spotlight
感谢分享,学到了:handshake
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接