[网络协议] 网络安全架构与部署-高级路由-策略-2—

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 网络协议 -> 网络安全架构与部署-高级路由-策略-2——20210926 -> 正文阅读

[网络协议]网络安全架构与部署-高级路由-策略-2——20210926

1/问答题

Route-map在策略路由中的应用

实验作业：

按要求在GNS上部署实验环境如图：

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-JNJAOZRG-1632585800221)(/Users/aron/Desktop/highroute2.png)]

1、R1、R2模拟内网主机，与R3运行OSPF协议，实现内网联通；

配置IP地址，是互相连通；
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#end

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int f1/0
R2(config-if)#ip add 192.168.2.1 255.255.255.0
R2(config-if)#no sh

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int f0/0       
R3(config-if)#ip add 192.168.1.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f2/0
R3(config-if)#ip add 192.168.2.3 255.255.255.0
R3(config-if)#no sh
R3(config)#int f2/0
R3(config-if)#ip add 100.1.35.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f3/0
R3(config-if)#ip add 100.1.34.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#end

验证R3
R3#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.3     YES manual up                    up      
FastEthernet1/0            192.168.2.3     YES manual up                    up      
FastEthernet2/0            100.1.34.3      YES manual up                    up      
FastEthernet3/0            100.1.35.3      YES manual up                    up  


R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int f3/0
R4(config-if)#ip add 100.1.34.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#int lo1
R4(config-if)#ip add  4.4.4.4 255.255.255.255
R4(config-if)#end

验证R4
R4#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down    
FastEthernet1/0            unassigned      YES unset  administratively down down    
FastEthernet2/0            unassigned      YES unset  administratively down down    
FastEthernet3/0            100.1.34.4      YES manual up                    up      
Loopback1                  4.4.4.4         YES manual up                    up      
R4#

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int f2/0
R5(config-if)#no sh
R5(config-if)#ip add 100.1.35.5 255.255.255.0
R5(config-if)#int lo1
R5(config-if)#ip add 5.5.5.5 255.255.255.255
R5(config-if)#end

验证R5:
R5#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down    
FastEthernet1/0            unassigned      YES unset  administratively down down    
FastEthernet2/0            100.1.35.5      YES manual up                    up      
FastEthernet3/0            unassigned      YES unset  administratively down down    
Loopback1                  5.5.5.5         YES manual up                    up      
R5#

测试连通性：

R5#ping 100.1.35.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.35.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 96/124/160 ms
R5#

R4#ping 100.1.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.34.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 128/135/144 ms
R4#

R1、R2模拟内网主机，与R3运行OSPF协议，实现内网联通

R1#conf t     
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router ospf 100
R1(config-router)#router-id
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#end


R2(config-if)#router ospf 100
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 192.168.2.0 0.0.0.255 area 0
R2(config-router)#end


R3(config-if)#
R3(config-if)#router ospf 100
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 192.168.1.0 0.0.0.255 area 0
R3(config-router)#network 192.168.2.0 0.0.0.255 area 0
R3(config-router)#end


R1#show ip route ospf
O    192.168.2.0/24 [110/2] via 192.168.1.3, 00:22:49, FastEthernet0/0
R1#

R2#show ip route ospf
O    192.168.1.0/24 [110/2] via 192.168.2.3, 00:22:44, FastEthernet1/0
R2#

2、R3下发OSPF默认路由，使得R1、R2能够访问互联网；

R3下发OSPF默认路由，使得R1、R2能够访问互联网

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router ospf 100
R3(config-router)#default-information originate always 
R3(config-router)#

3、R3上部署策略路由PBR技术，使得R1访问互联网走R4方向，使得R2访问互联网走R5方向；

R3上部署策略路由PBR技术，使得R1访问互联网走R4方向，使得R2访问互联网走R5方向
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#access-list 1 permit 192.168.1.0 0.0.0.255
R3(config)#access-list 2 permit 192.168.2.0 0.0.0.255

R3(config)#route-map r4 permit 10
R3(config-route-map)#match ip address 1
R3(config-route-map)#set ip next-hop 100.1.34.4 


R3(config-route-map)#route-map r5 permit 10
R3(config-route-map)#match ip address 2
R3(config-route-map)#set ip next-hop 100.1.35.5

R3(config-if)#int f0/0 
R3(config-if)#ip policy route-map r4


R3(config-if)#int f1/0
R3(config-if)#ip policy route-map r5

R3(config-if)#end

验证：
R3#show ip access-lists 
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (67 matches)
Standard IP access list 2
    10 permit 192.168.2.0, wildcard bits 0.0.0.255 (48 matches)


R3#show route-map 
route-map r4, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1 
  Set clauses:
    ip next-hop 100.1.34.4
  Policy routing matches: 23 packets, 2460 bytes
route-map r5, permit, sequence 10
  Match clauses:
    ip address (access-lists): 2 
  Set clauses:
    ip next-hop 100.1.35.5
  Policy routing matches: 5 packets, 570 bytes
  

R3#show ip policy
Interface      Route map
Fa0/0          r4
Fa1/0          r5

R3#
*Mar  1 01:51:36.495: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:36.495: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
*Mar  1 01:51:36.815: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:36.815: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
*Mar  1 01:51:36.979: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:36.979: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
R3#
*Mar  1 01:51:37.203: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:37.203: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
*Mar  1 01:51:37.431: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 01:51:37.431: IP: s=192.168.1.1 (FastEthernet0/0), d=4.4.4.4, g=100.1.34.4, len 100, FIB policy routed
R3#



R1上ping 验证等：
R1#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/188/240 ms
R1#
*Mar  1 01:39:20.587: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:20.763: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:20.963: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:21.163: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1
*Mar  1 01:39:21.295: ICMP: echo reply rcvd, src 4.4.4.4, dst 192.168.1.1


R1#traceroute  4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 192.168.1.3 72 msec 68 msec 156 msec
  2 100.1.34.4 104 msec 216 msec 196 msec
R1#
*Mar  1 01:41:10.779: ICMP: time exceeded rcvd from 192.168.1.3
*Mar  1 01:41:10.847: ICMP: time exceeded rcvd from 192.168.1.3
*Mar  1 01:41:11.007: ICMP: time exceeded rcvd from 192.168.1.3
*Mar  1 01:41:11.115: ICMP: dst (192.168.1.1) port unreachable rcv from 100.1.34.4
*Mar  1 01:41:11.335: ICMP: dst (192.168.1.1) port unreachable rcv from 100.1.34.4
*Mar  1 01:41:11.535: ICMP: dst (192.168.1.1) port unreachable rcv from 100.1.34.4

r2验证：
R2#debug ip icmp
ICMP packet debugging is on
R2#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/272/388 ms
R2#
*Mar  1 01:40:15.199: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
*Mar  1 01:40:15.515: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
*Mar  1 01:40:15.615: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
*Mar  1 01:40:16.007: ICMP: echo reply rcvd, src 5.5.5.5, dst 192.168.2.1
R2#
*Ma

4、此处R3上不要求部署NAT技术，要求R4和R5部署静态路由，实现内网流量返回。

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#ip route 0.0.0.0 0.0.0.0 100.1.34.3
R4(config)#

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#
R5(config)#ip route 0.0.0.0 0.0.0.0 100.1.35.3
R5(config)#