Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Mọi người xem và fix lỗi dùm em nhe - LAB về VPN IPSec GRE Backup

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Mọi người xem và fix lỗi dùm em nhe - LAB về VPN IPSec GRE Backup

    Chào mọi người! EM có mô hình LAB thế này.



    MÌnh có thuê 1 đường lease line giữa CENTER và BRANCH. Và mổi site mình cũng thuê 1 đường ADSL để ra net.
    Mục tiêu bài LAB sau khi làm xong: Nếu đường leaseline giữa BRANCH và CENTER sống thì dữ liệu giữa 2 site sẽ được truyền qua đường này. Nếu đường leaseline giữa BRANCH và CENTER chết thì dữ liệu sẽ được truyền qua đường dự phòng(GRE tunnel) trên đường ADSL. Trên đường dự phòng này mình có cấu hình VPN IPSec để tăng độ an toàn thông tin dữ liệu. Đồng thời đường ADSL cũng đảm nhiệm chức năng ra net.

    Đây là cấu hình:

    Code:
    !
!
! Last configuration change at 18:55:13 UTC Sat Jul 23 2011
! NVRAM config last updated at 18:55:25 UTC Sat Jul 23 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco password 0 123
!
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 193.168.123.6
!
!
crypto ipsec transform-set mine esp-3des 
!
crypto map gre-tunnel local-address Serial1/1
crypto map gre-tunnel 10 ipsec-isakmp 
 set peer 193.168.123.6
 set transform-set mine 
 match address 100
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.2 255.255.255.0
 delay 500
 tunnel source 194.168.123.6
 tunnel destination 193.168.123.6
 crypto map gre-tunnel
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 192.168.123.7 255.255.255.0
 encapsulation ppp
 delay 100
 serial restart-delay 0
 clock rate 64000
 ppp authentication chap
 ppp chap hostname vnpro
 ppp chap password 0 123
!
interface Serial1/1
 ip address 194.168.123.6 255.255.255.0
 serial restart-delay 0
 clock rate 64000
 crypto map gre-tunnel
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 1
 network 10.0.1.0 0.0.0.255
 network 10.0.2.0 0.0.0.255
 network 192.168.123.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 194.168.123.7
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit gre host 194.168.123.6 host 193.168.123.6
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

    Code:
    !
!
! Last configuration change at 18:55:27 UTC Sat Jul 23 2011
! NVRAM config last updated at 18:55:28 UTC Sat Jul 23 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CENTER
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username vnpro password 0 123
!
! 
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 194.168.123.6
!
!
crypto ipsec transform-set vnpro esp-3des 
!
crypto map vnpro local-address Serial1/1
crypto map vnpro 10 ipsec-isakmp 
 set peer 194.168.123.6
 set transform-set vnpro 
 match address 100
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.1 255.255.255.0
 delay 500
 tunnel source Serial1/1
 tunnel destination 194.168.123.6
 crypto map vnpro
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 192.168.123.6 255.255.255.0
 encapsulation ppp
 delay 100
 serial restart-delay 0
 clock rate 64000
 ppp authentication chap
 ppp chap hostname cisco
 ppp chap password 0 123
!
interface Serial1/1
 ip address 193.168.123.6 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 10.0.1.0 0.0.0.255
 network 192.168.123.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 193.168.123.7
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit gre host 193.168.123.6 host 194.168.123.6
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

    Code:
    !



!
! Last configuration change at 17:21:54 UTC Fri Jul 22 2011
! NVRAM config last updated at 18:07:44 UTC Fri Jul 22 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 193.168.123.7 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/1
 ip address 194.168.123.7 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
    ***Sau khi kiểm tra, kêt quả như sau:
    - Khi chưa shutdown int s1/0 trên CENTER
    Code:
    Jul 22 18:03:04.135: %SYS-5-CONFIG_I: Configured from console by console
CENTER#traceroute 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1 192.168.123.7 76 msec *  16 msec
CENTER#
Jul 22 18:03:13.487: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 22 18:03:17.127: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
CENTER#
    Code:
    BRANCH#
Jul 22 18:03:14.759: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /194.168.123.6, src_addr= 193.168.123.6, prot= 47
BRANCH#traceroute 10.0.0.1 source 10.0.2.1

Type escape sequence to abort.
Tracing the route to 10.0.0.1

  1 192.168.123.6 40 msec *  20 msec
BRANCH#
    - Khi shutdown int s1/0 trên CENTER
    Code:
    CENTER(config)#int s1/0
CENTER(config-if)#sh
CENTER(config-if)#shutdown 
CENTER(config-if)#
Jul 22 17:52:46.235: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.123.7 (Serial1/0) is down: interface down
CENTER(config-if)#
Jul 22 17:52:48.159: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
CENTER(config-if)#
Jul 22 17:52:48.159: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down 
Jul 22 17:52:49.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
CENTER(config-if)#shutdown ^Z
CENTER#traceroute 10.0.2.1 source 10.0.0.1
Jul 22 17:53:02.671: %SYS-5-CONFIG_I: Configured from console by console
CENTER#traceroute 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1  *  *  * 
  2  *  *  * 
  3  *  *  * 
  4 
Jul 22 17:53:31.991: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded *  * 
Jul 22 17:53:35.979: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency * 
  5  *  *  * 
  6  *  *  * 
  7  *  *  * 
  8  *  *  * 
  9  *  *  * 
 10  *  *  * 
 11  *  *  * 
 12  *  *  * 
 13  * 
Jul 22 17:54:55.495: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded * 
Jul 22 17:54:59.867: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency * 
 14  *  *  * 
 15  *  *  * 
 16  *  *  * 
 17  *  *  * 
 18  *  *  * 
 19  *  *  * 
 20  *  *  * 
 21  *  *  * 
 22  *  * 
Jul 22 17:56:19.383: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded * 
 23 
Jul 22 17:56:21.987: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency *  *  * 
 24  *  *  * 
 25  *  *  * 
 26 
CENTER#
Jul 22 17:57:41.503: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 22 17:57:44.771: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
CENTER#
Jul 22 17:59:04.291: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 22 17:59:08.911: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
    Last edited by lenhung; 25-07-2011, 12:42 PM.
    Tags: None
  • #2
    Hi anh,

    router eigrp 1
    network 10.0.1.0 0.0.0.255
    network 10.0.2.0 0.0.0.255
    network 192.168.123.0
    no auto-summary
    Cấu hình GRE tunnel, lúc quảng bá mạng Ta chỉ quảng bá mạng của tunnel. Không quảng bá mạng cổng serial nha anh.
    Lâm Văn Tú
    Email :     cntt08520610@gmail.com
    Viet Professionals Co. Ltd. (VnPro)
    149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
    Tel: (08) 35124257 (5 lines)
    Fax (08) 35124314
    Tập tành bước đi....


    Comment

    • #3
      Originally posted by lamvantu View Post
      Hi anh,

      Cấu hình GRE tunnel, lúc quảng bá mạng Ta chỉ quảng bá mạng của tunnel. Không quảng bá mạng cổng serial nha anh.
      Uh sau khi bỏ bớt quảng bá mạng ->khi shut s1/0 trên CENTER thì

      Code:
      CENTER#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
Serial1/0                  192.168.123.6   YES NVRAM  up                    up  
Serial1/1                  193.168.123.6   YES NVRAM  up                    up  
Serial1/2                  unassigned      YES NVRAM  administratively down down
Serial1/3                  unassigned      YES NVRAM  administratively down down
Serial1/4                  unassigned      YES NVRAM  administratively down down
Serial1/5                  unassigned      YES NVRAM  administratively down down
Serial1/6                  unassigned      YES NVRAM  administratively down down
Serial1/7                  unassigned      YES NVRAM  administratively down down
Loopback0                  10.0.0.1        YES NVRAM  up                    up  
Tunnel1                    10.0.1.1        YES NVRAM  up                    up  
CENTER#traceroute 10.0.2.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1 193.168.123.7 52 msec 56 msec 16 msec
  2 193.168.123.7 !H  *  !H
CENTER#ping 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
CENTER#
Jul 25 13:06:34.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 25 13:06:37.067: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
CENTER#ping 10.0.2.1 so
CENTER#ping 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
.....
Success rate is 0 percent (0/5)
CENTER#sh ip ro
CENTER#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 193.168.123.7 to network 0.0.0.0

     192.168.123.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.123.0/24 is directly connected, Serial1/0
C       192.168.123.7/32 is directly connected, Serial1/0
C    193.168.123.0/24 is directly connected, Serial1/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Loopback0
C       10.0.1.0 is directly connected, Tunnel1
S*   0.0.0.0/0 [1/0] via 193.168.123.7
CENTER#
      Code:
      BRANCH#traceroute 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.0.1

  1 194.168.123.7 52 msec 72 msec 28 msec
  2 194.168.123.7 !H  *  !H
BRANCH#ping 10.0.0.1 source 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
.
Jul 25 13:04:28.099: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /194.168.123.6, src_addr= 193.168.123.6, prot= 47....
Success rate is 0 percent (0/5)
BRANCH#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
BRANCH#ping 10.0.0.1 source 10.0.2.1
Jul 25 13:05:28.907: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /194.168.123.6, src_addr= 193.168.123.6, prot= 47
BRANCH#ping 10.0.0.1 source 10.0.2.1
BRANCH#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
BRANCH#sh ip ro
BRANCH#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 194.168.123.7 to network 0.0.0.0

     192.168.123.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.123.0/24 is directly connected, Serial1/0
C       192.168.123.6/32 is directly connected, Serial1/0
C    194.168.123.0/24 is directly connected, Serial1/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.2.0 is directly connected, Loopback0
C       10.0.1.0 is directly connected, Tunnel1
S*   0.0.0.0/0 [1/0] via 194.168.123.7
BRANCH#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
BRANCH#ping 10.0.0.1
Jul 25 13:06:29.411: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /194.168.123.6, src_addr= 193.168.123.6, prot= 47
BRANCH#traceroute 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.0.1

  1 194.168.123.7 108 msec 32 msec 36 msec
  2 194.168.123.7 !H  *  !H
BRANCH#ping 10.0.0.1 so
BRANCH#ping 10.0.0.1 source 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
.....
Success rate is 0 percent (0/5)
BRANCH#sh ip ro
BRANCH#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 194.168.123.7 to network 0.0.0.0

     192.168.123.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.123.0/24 is directly connected, Serial1/0
C       192.168.123.6/32 is directly connected, Serial1/0
C    194.168.123.0/24 is directly connected, Serial1/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.2.0 is directly connected, Loopback0
C       10.0.1.0 is directly connected, Tunnel1
S*   0.0.0.0/0 [1/0] via 194.168.123.7
      khi no shut s1/0 trên CENTER thì

      Code:
      CENTER#traceroute 10.0.2.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1 193.168.123.7 56 msec 52 msec 24 msec
  2 193.168.123.7 !H  *  !H
      Mình có 3 thắc mắc sau:
      1. Trong quyển sách ISCW trang 435->438 có hướng dẫn cấu hình IPSEC GRE TUNNEL và trong cấu hình vẫn hướng dẫn là có đường mạng quảng bá network 192.168.123.0.
      2. Dưa vào kết quả trên, ta thấy khi công s1/0 shutdown hoạc khi công s1/0 còn sống thì data bên CENTER vẫn đi qua BRANCH bẳng 1 đường ADSL duy nhất chứ không phải là lúc công s1/0 còn sống thì nó sẽ đi bằng đường lease line.
      3. Dòng thông báo 2 193.168.123.7 !H * !H là gì? cái này minh chưa hiểu lắm.
      Last edited by lenhung; 25-07-2011, 07:04 PM.

      Comment

      • #4
        Đó là em nói anh thử xem thế nào (cho cấu hình GRE) ? Chứ mỗi bài lab, mỗi trường hợp mỗi khác. Có bài lab dự phòng 2 đường tunnel (VPN) . Anh cần thì mail cho em. Vấn đề đi đường nào thì anh chỉ ip route đến đường cần đi thử. ( Chứ đừng chỉ đến tunnel). Có thể kết hợp IP SLA.
        Sau vẽ mô hình nếu được anh thêm địa chỉ IP vô nha.

        Cảm ơn anh.
        Last edited by lamvantu; 25-07-2011, 06:58 PM.
        Lâm Văn Tú
        Email :         cntt08520610@gmail.com
        Viet Professionals Co. Ltd. (VnPro)
        149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
        Tel: (08) 35124257 (5 lines)
        Fax (08) 35124314
        Tập tành bước đi....


        Comment

        • #5
          Originally posted by lamvantu View Post
          Đó là em nói anh thử xem thế nào (cho cấu hình GRE) ? Chứ mỗi bài lab, mỗi trường hợp mỗi khác. Có bài lab dự phòng 2 đường tunnel (VPN) .

          Cảm ơn anh.
          Ok.. đây là cấu hình bài LAB IPSEC GRE TUNNEL dự phòng cho lease line (chưa có VPN). Mô hình và cách cấm dây vẫn như hình vẽ trên. Kêt quả test theo mình thì OK. Tú tham khảo xem mình có sai chổ nào không?

          Code:
          !
!
! Last configuration change at 11:00:57 UTC Fri Jul 22 2011
! NVRAM config last updated at 11:02:48 UTC Fri Jul 22 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.2 255.255.255.0
 delay 500
 tunnel source 194.168.123.6
 tunnel destination 193.168.123.6
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 192.168.123.7 255.255.255.0
 delay 100
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/1
 ip address 194.168.123.6 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 1
 network 10.0.1.0 0.0.0.255
 network 10.0.2.0 0.0.0.255
 network 192.168.123.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 194.168.123.7
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
          Code:
          !
!
! Last configuration change at 10:52:47 UTC Fri Jul 22 2011
! NVRAM config last updated at 11:02:43 UTC Fri Jul 22 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CENTER
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.1 255.255.255.0
 delay 500
 tunnel source 193.168.123.6
 tunnel destination 194.168.123.6
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 192.168.123.6 255.255.255.0
 delay 100
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/1
 ip address 193.168.123.6 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 10.0.1.0 0.0.0.255
 network 192.168.123.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 193.168.123.7
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
          Code:
          ISP#sh running-config
Building configuration...

Current configuration : 1347 bytes
!
! Last configuration change at 18:59:25 UTC Mon Jul 25 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 193.168.123.7 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/1
 ip address 194.168.123.7 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
ip route 0.0.0.0 0.0.0.0 194.168.123.6
ip route 0.0.0.0 0.0.0.0 193.168.123.6
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

ISP#
          ---->khi đường LEASE LINE còn sống, kết quả:

          Code:
          CENTER#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
Serial1/0                  192.168.123.6   YES NVRAM  up                    up  
Serial1/1                  193.168.123.6   YES NVRAM  up                    up  
Serial1/2                  unassigned      YES NVRAM  administratively down down
Serial1/3                  unassigned      YES NVRAM  administratively down down
Serial1/4                  unassigned      YES NVRAM  administratively down down
Serial1/5                  unassigned      YES NVRAM  administratively down down
Serial1/6                  unassigned      YES NVRAM  administratively down down
Serial1/7                  unassigned      YES NVRAM  administratively down down
Loopback0                  10.0.0.1        YES NVRAM  up                    up  
Tunnel1                    10.0.1.1        YES NVRAM  up                    up  
CENTER#ping 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/21/60 ms
CENTER#ping 10.0.2.1 so
CENTER#ping 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms
CENTER#tr
CENTER#traceroute 10.0.2.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1 192.168.123.7 24 msec 28 msec *
          Code:
          BRANCH#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
Serial1/0                  192.168.123.7   YES NVRAM  up                    up  
Serial1/1                  194.168.123.6   YES NVRAM  up                    up  
Serial1/2                  unassigned      YES NVRAM  administratively down down
Serial1/3                  unassigned      YES NVRAM  administratively down down
Serial1/4                  unassigned      YES NVRAM  administratively down down
Serial1/5                  unassigned      YES NVRAM  administratively down down
Serial1/6                  unassigned      YES NVRAM  administratively down down
Serial1/7                  unassigned      YES NVRAM  administratively down down
Loopback0                  10.0.2.1        YES NVRAM  up                    up  
Tunnel1                    10.0.1.2        YES NVRAM  up                    up  
BRANCH#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/84/132 ms
BRANCH#ping 10.0.0.1 so
BRANCH#ping 10.0.0.1 source 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/24/52 ms
BRANCH#tra
BRANCH#traceroute 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.0.1

  1 192.168.123.6 20 msec *  *
BRANCH#
          ---->khi đường LEASE LINE chết, kết quả:

          Code:
          CENTER#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CENTER(config)#int s1/0
CENTER(config-if)#sh
CENTER(config-if)#shutdown
CENTER(config-if)#^Z
CENTER#
Jul 25 19:24:51.023: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.123.7 (Serial1/0) is down: interface down
Jul 25 19:24:51.943: %SYS-5-CONFIG_I: Configured from console by console
CENTER#
Jul 25 19:24:52.939: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
CENTER#
Jul 25 19:24:52.943: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
Jul 25 19:24:53.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
CENTER#ping 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/67/104 ms
CENTER#ping 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/45/76 ms
CENTER#traceroute 10.0.2.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1 10.0.1.2 96 msec 68 msec *
CENTER#
          Code:
          BRANCH#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 194.168.123.7 to network 0.0.0.0

C    194.168.123.0/24 is directly connected, Serial1/1
     10.0.0.0/24 is subnetted, 3 subnets
C       10.0.2.0 is directly connected, Loopback0
D       10.0.0.0 [90/284700416] via 10.0.1.1, 00:03:48, Tunnel1
C       10.0.1.0 is directly connected, Tunnel1
S*   0.0.0.0/0 [1/0] via 194.168.123.7
BRANCH#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/88/172 ms
BRANCH#ping 10.0.0.1 source 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/62/96 ms
BRANCH#traceroute 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.0.1

  1 10.0.1.1 68 msec 72 msec *
BRANCH#
          Last edited by lenhung; 25-07-2011, 08:30 PM.

          Comment

          Previous template Next
          Working...
          X