高可用性GRE+IPSEC中心—分支
在实际网络运用中我们时常跑GRE+IPSEC来实现我们中心到分支的远程访问回话,这样以来容易配置,而来可用性高,我们知道L2L无论是链路备份还是设备备份,都不是状态备份,当一个点断掉后,用经过几十秒甚至1分多种的时间收敛,才能切换到另一条线路上,重新构建ipsec回话。我们用GRE+IPSEC则可以用更少的时间来切换线路。
要求:
1.实现ipsec高可用性切换
2.在中心站点部署两台vpn网管,跑gre
R1:
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 69.1.10.5 no-xauth
crypto isakmp key cisco address 88.88.8.4 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet0/0
crypto map mymap 10 ipsec-isakmp
set peer 69.1.10.5
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 88.88.8.4
set transform-set liang
match address 102
!interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface Loopback1
ip address 1.1.1.1 255.255.255.255
interface Tunnel0
bandwidth 1000
ip address 10.1.15.1 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet0/0
tunnel destination 69.1.10.5
interface Tunnel1
ip address 10.1.14.1 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet0/0
tunnel destination 88.88.8.4
interface Ethernet0/0
ip address 191.1.1.1 255.255.255.0
half-duplex
crypto map mymap
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.15.0 0.0.0.255 area 1
network 10.1.14.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 191.1.1.3
access-list 101 permit gre host 191.1.1.1 host 69.1.10.5
access-list 102 permit gre host 191.1.1.1 host 88.88.8.4
R2:
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 88.88.8.4 no-xauth
crypto isakmp key cisco address 69.1.10.5 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet0/1
crypto map mymap 10 ipsec-isakmp
set peer 88.88.8.4
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 69.1.10.5
set transform-set liang
match address 102
interface Loopback0
ip address 192.168.2.2 255.255.255.0
interface Loopback1
ip address 2.2.2.2 255.255.255.255
interface Tunnel0
bandwidth 1000
ip address 10.1.24.2 255.255.255.0
ip mtu 1483
keepalive 10 3
tunnel source Ethernet0/1
tunnel destination 88.88.8.4
interface Tunnel1
ip address 10.1.25.2 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet0/1
tunnel destination 69.1.10.5
interface Ethernet0/1
ip address 192.1.1.2 255.255.255.0
router ospf 10
log-adjacency-changes
network 10.1.24.0 0.0.0.255 area 1
network 10.1.25.0 0.0.0.255 area 1
ip route 0.0.0.0 0.0.0.0 192.1.1.3
access-list 101 permit gre host 192.1.1.2 host 88.88.8.4
access-list 102 permit gre host 192.1.1.2 host 69.1.10.5
R4
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 192.1.1.2 no-xauth
crypto isakmp key cisco address 191.1.1.1 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet0/2
crypto map mymap 10 ipsec-isakmp
set peer 192.1.1.2
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 191.1.1.1
set transform-set liang
match address 102
interface Loopback0
ip address 4.4.4.4 255.255.255.255
iterface Tunnel0
bandwidth 1000
ip address 10.1.24.4 255.255.255.0
ip mtu 1483
keepalive 10 3
tunnel source Ethernet0/2
tunnel destination 192.1.1.2
interface Tunnel1
ip address 10.1.14.4 255.255.255.0
ip mtu 1483
keepalive 10 3
tunnel source Ethernet0/2
tunnel destination 191.1.1.1
interface Ethernet0/0
ip address 192.168.3.4 255.255.255.0
full-duplex
interface Ethernet0/2
ip address 88.88.8.4 255.255.255.0
crypto map mymap
router ospf 10
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 10.1.14.0 0.0.0.255 area 1
network 10.1.24.0 0.0.0.255 area 1
network 192.168.3.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 88.88.8.3
access-list 101 permit gre host 88.88.8.4 host 192.1.1.2
access-list 102 permit gre host 88.88.8.4 host 191.1.1.1
R5
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 191.1.1.1 no-xauth 两个peer 在上为主
crypto isakmp key cisco address 192.1.1.2 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet1/3
crypto map mymap 10 ipsec-isakmp
set peer 191.1.1.1
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 192.1.1.2
set transform-set liang
match address 102
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Tunnel0
bandwidth 1000 GRE默认带宽是9我们指定1000 使其优先级高成为主线路
ip address 10.1.15.5 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet1/3
tunnel destination 191.1.1.1
interface Tunnel1
ip address 10.1.25.5 255.255.255.0
ip mtu 1438 指定mtu
keepalive 10 3
tunnel source Ethernet1/3
tunnel destination 192.1.1.2
interface Ethernet1/3
ip address 69.1.10.5 255.255.255.0
half-duplex
crypto map mymap
interface Vlan1
no ip address
router ospf 10
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 10.1.15.0 0.0.0.255 area 1
network 10.1.25.0 0.0.0.255 area 1
network 192.168.4.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 69.1.10.3
access-list 101 permit gre host 69.1.10.5 host 191.1.1.1
access-list 102 permit gre host 69.1.10.5 host 192.1.1.2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.1.1.3 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1 通过主链路学到的路由
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback1
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/11114] via 10.1.25.5, 00:19:40, Tunnel1
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.5 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
O IA 192.168.4.0/24 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
10.0.0.0/24 is subnetted, 4 subnets
O 10.1.15.0 [110/11211] via 10.1.25.5, 00:19:40, Tunnel1
O IA 10.1.14.0 [110/22224] via 10.1.25.5, 00:00:09, Tunnel1
C 10.1.25.0 is directly connected, Tunnel1
C 10.1.24.0 is directly connected, Tunnel0
C 192.1.1.0/24 is directly connected, Ethernet0/1
192.168.1.0/32 is subnetted, 1 subnets
O IA 192.168.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1
C 192.168.2.0/24 is directly connected, Loopback0
O IA 192.168.3.0/24 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
S* 0.0.0.0/0 [1/0] via 192.1.1.3
当r4出现线路故障,自动切换到r5
此图与L2L站点到站点vpn优势:
1.自动切换,时间短,
2.无须匹配加密数据流,可跑动态路由协议,自己协商,方便,我们只需配置GRE其他的让她们自己去协商
3.配置简单,方便配错,特别是对于多点配置,L2Lvpn配置起来超麻烦,站点多了要配DMVPN,在这我们只需起一条 tunnel 隧道就行了!
4.还有更加简单的配置 用ipsec pro 这个有时间我补在后面
5.等等 呵呵
本文转自q狼的诱惑 51CTO博客,原文链接:http://blog.51cto.com/liangrui/533202,如需转载请自行联系原作者
高可用性GRE+IPSEC中心—分支的更多相关文章
- Git 最佳实践:分支管理
5月份,为统一团队git分支管理规范,刚开始准备自己写,在网上搜了下,发现不少不错的git分支管理实践.最后我为团队选择了这个git分支管理实践 A successful Git branching ...
- Linux TC流量控制HOWTO中文版
<本文摘自Linux的高级路由和流量控制HOWTO中文版 第9章节>网人郭工进行再次编译: 利用队列,我们可以控制数据发送的方式.记住我们只能对发送数据进行控制(或称为整形).其实,我们无 ...
- Linux TC (traffic control)
在着手学习TC采用如下单位来描述带宽: mbps = 1024 kbps = 1024 * 1024 bps => byte/s mbit = 1024 kbit => kilo bit/ ...
- SDN实验---OVS了解(转载)
转载自:https://opengers.github.io/openstack/openstack-base-use-openvswitch/ 一:Open vSwitch介绍 (一)介绍 在过去, ...
- Networking 基本术语/概念
目录 文章目录 目录 基本概念 冲突域(Collision Domain) 广播域(Broadcast Domain) 冲突域与广播域的区别 IP 网络数据传输方式 物理网络设备 发展简述 中继器(R ...
- MGRE及实验
tunnel 隧道:一种的简单的VPN技术: 普通的tunnel为点到点网络类型: 生成隧道接口,流量通过路由查询后,若通过隧道接口转发时,需要在原有的三层报头前,再添加一个公有地址间的报头: 将两个 ...
- CCNP之二层技术
二层技术 ---数据链路层 核心功能:介质访问控制功能,控制物理层 网络类型: 1)MA:multiple access 多路访问(指在一条链路上有多个访问点,区别于点到点或点到多点的网络) BMA: ...
- CCNP之MERG实验报告
MGRE实验报告 一.实验要求: 1.R5为ISP,只能配置IP地址 2.R1--R3间建立MGRE环境,且使用EIGRP来学习各自环回 3.R4可以正常访问R5的环回 4.R1与R5进行chap认证 ...
- Java 框架、库和软件的精选列表(awesome java)
原创翻译,原始链接 本文为awesome系列中的awesome java Awesome Java Java 框架.库和软件的精选列表 项目 Bean映射 简化 bean 映射的框架 dOOv - 为 ...
随机推荐
- Hadoop(学习·2)
Hadoop 操作步骤: 192.168.1.110-113 ...
- Idea离线安装plugins插件 如Lombok
由于公司不允许使用外网,之前用的idea 15 安装了一次.但是idea15的提示不够友好,今天升级idea2017.3.2,同样又需要安装,那就写个教程吧. 网上其他的安装教程不通用,也是针对不同i ...
- 登陆ECP后,无法正常现实OU
当我们在ECP创建邮箱账户或者会议室的时候,发现无法预览所有OU信息 这是因为,默认情况下,Exchange只能识别到500个OU,如果要解决这个问题就需要我们到后端服务器修改配置文件 文件路径:C: ...
- 科技发展时间线(Technology Timeline)
本文主要记录,过去两百年间,科技发展的时间线 这些内容,是自己在学习电脑发展历史的时候做的, 感兴趣的同学,可以复制到 Excel 里面,按顺序逐一进行学习, 学习和整理的过程确实花了很长时间,但是并 ...
- java 字符串截取 - 最后带上mysql字符串截取比较
Java中的substring()方法有两个方法的重载,一个带一个参数的,一个带两个参数的. 第一种写法: substring(n);//从索引是n的字符开始截取,条件(n>=0,n<字符 ...
- Floyd-例题-实现-我的第一篇博客
https://www.cnblogs.com/lbssxz/p/11014911.html 这是网上看到的题目,以上是原博主的解答和题目来源(没找到别的题目来源) 题目大意: 城市交通费 [问题描述 ...
- JSON Extractor(JSON提取器)
JSON提取器 Variable names(名称):提取器的名称Apply to(应用范围):Main sample and sub-samples:应用于主sample及子sampleMain s ...
- Daily Scrum 1/6/2015
Process: Zhaoyang: Complete the speech API test and do some UI upgrade. Yandong: Help zhaoyang to do ...
- 无序map 记录一下
unordered_map<int ,int >mp; unordered_map是基于hash表实现的,查找元素的复杂度可以达到o(1),查找n个元素,复杂度为o(n). map是基于红 ...
- React AntDesign 引入css
React项目是用umi脚手架搭建的AntDesign,用到一个第三方表格组件Jexcel,npm install 之后组件的样式加载不上,犯了愁,翻阅各种资料,踏平两个小坑. 大家都知道,安装完成的 ...