eNSP |
您所在的位置:网站首页 › ensp配置交换机的步骤 › eNSP |
网络拓扑如下: 实验目的是把两个私网打通,PC1可以ping通PC2。 【1】、PC的配置: PC1 PC2 【2】、R1基本信息配置: < Huawei >sys [Huawei]undo info-center enable [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip add 192.168.10.254 24 [Huawei-GigabitEthernet0/0/0]undo shut [Huawei-GigabitEthernet0/0/0]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip add 100.1.1.1 30 [Huawei-GigabitEthernet0/0/1]undo shut [Huawei-GigabitEthernet0/0/1]quit [Huawei]ip route-static 0.0.0.0 0.0.0.0 100.1.1.2 【3】、R2基本信息配置: < Huawei >sys [Huawei]undo info-center enable [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip add 200.1.1.1 30 [Huawei-GigabitEthernet0/0/1]undo shut [Huawei-GigabitEthernet0/0/1]quit [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip add 192.168.20.254 24 [Huawei-GigabitEthernet0/0/0]undo shut [Huawei-GigabitEthernet0/0/0]quit [Huawei]ip route-static 0.0.0.0 0.0.0.0 200.1.1.2 【4】、ISP基本信息配置: < Huawei >sys [Huawei]undo info-center enable [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip add 100.1.1.2 30 [Huawei-GigabitEthernet0/0/0]undo shut [Huawei-GigabitEthernet0/0/0]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip add 200.1.1.2 30 [Huawei-GigabitEthernet0/0/1]undo shut [Huawei-GigabitEthernet0/0/1]quit [Huawei]int LoopBack 0 [Huawei-LoopBack0]ip add 2.2.2.2 32 [Huawei-LoopBack0]quit 【5】、IPSec的配置: (1)、定义需要保护的数据流(也就是定义感兴趣的流量) R1的配置: [Huawei]acl 3000 [Huawei-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 [Huawei-acl-adv-3000]R2的配置: [Huawei]acl 3000 [Huawei-acl-adv-3000]rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [Huawei-acl-adv-3000](2)、配置IPSec安全提议 R1的配置: [Huawei]ipsec proposal cd [Huawei-ipsec-proposal-cd]encapsulation-mode tunnel \\IPSec VPN的工作模式是隧道模式 [Huawei-ipsec-proposal-cd]transform esp \\IPSec安全提议的安全协议是esp [Huawei-ipsec-proposal-cd]esp encryption-algorithm des \\安全提议的加密算法为DES [Huawei-ipsec-proposal-cd]esp authentication-algorithm md5 \\安全提议的认证算法为md5R2的配置: [Huawei]ipsec proposal bj [Huawei-ipsec-proposal-bj]encapsulation-mode tunnel [Huawei-ipsec-proposal-bj]transform esp [Huawei-ipsec-proposal-bj]esp encryption-algorithm des [Huawei-ipsec-proposal-bj]esp au [Huawei-ipsec-proposal-bj]esp authentication-algorithm md5(3)、配置手动IPSec安全策略 R1的配置: [Huawei]ipsec policy chengdu 10 manual \\配置IPSec策略chengdu,方式为手动 [Huawei-ipsec-policy-manual-chendu-10]security acl 3000 \\ 保护acl 3000的流量 [Huawei-ipsec-policy-manual-chendu-10]proposal cd \\采用IPSec提议cd [Huawei-ipsec-policy-manual-chendu-10]tunnel local 100.1.1.1 \\配置隧道本地地址 [Huawei-ipsec-policy-manual-chendu-10]tunnel remote 200.1.1.1 \\配置隧道远端地址 [Huawei-ipsec-policy-manual-chendu-10]sa spi inbound esp 54321 \\配置入方向SA编号54321 [Huawei-ipsec-policy-manual-chendu-10]sa string-key inbound esp cipher kiki \\配置入方向SA的认证密钥为qing [Huawei-ipsec-policy-manual-chendu-10]sa spi outbound esp 12345 \\配置出方向SA编号12345 [Huawei-ipsec-policy-manual-chendu-10]sa string-key outbound esp cipher kiki \\配置出方向SA的认证密钥为qingR2的配置: [Huawei]ipsec policy beijing 10 manual [Huawei-ipsec-policy-manual-beijing-10]security acl 3000 [Huawei-ipsec-policy-manual-beijing-10]proposal bj [Huawei-ipsec-policy-manual-beijing-10]tunnel local 200.1.1.1 [Huawei-ipsec-policy-manual-beijing-10]tunnel remote 100.1.1.1 [Huawei-ipsec-policy-manual-beijing-10]sa spi inbound esp 12345 [Huawei-ipsec-policy-manual-beijing-10]sa string-key inbound esp cipher kiki [Huawei-ipsec-policy-manual-beijing-10]sa spi outbound esp 54321 [Huawei-ipsec-policy-manual-beijing-10]sa string-key outbound esp cipher kiki特别注意:R1的入口方向对应就是R2的出口方向 同理,R2的入口方向对应就是R1的出口方向 (4)、在接口应用安全策略 R1的配置: [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ipsec policy chengduR2的配置: [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ipsec policy beijing【6】、ACL的配置: R1的配置: [Huawei]acl 3001 [Huawei-acl-adv-3001]rule 20 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 \\不允许192.168.10.0这个网段是通过地址转化,而是直接走隧道。 [Huawei-acl-adv-3001]rule 25 permit ip [Huawei-acl-adv-3001]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]nat outbound 3001R2的配置: [Huawei]acl 3001 [Huawei-acl-adv-3001]rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [Huawei-acl-adv-3001]rule 25 permit ip [Huawei-acl-adv-3001]quit [Huawei]int g0/0/1 [Huawei-GigabitEthernet0/0/1]nat outbound 3001【7】、实验结果: pc1 ping pc2: pc2 ping pc1: |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |