F1060 ipv4 over ipv4隧道典型组网配置案例
- 2020 年 3 月 12 日
- 筆記
组网及说明
组网说明:
本案例采用H3C HCL模拟器的F1060来模拟IPV4 OVER IPV4的典型组网。为了避免子网1和子网2的IPV4地址在公网暴露,因此在FW1与FW2之间通过IPV4 OVER IPV4的方式建立隧道,实现子网1与子网2的互通。
配置步骤
1、按照网络拓扑图正确配置IP地址
2、FW1与FW2建立ipv4 over ipv4隧道
配置关键点
第一阶段调试(基础网络配置):
ISP:
<H3C>sys System View: return to User View with Ctrl+Z. [H3C]sysname ISP [ISP]int gi 0/0 [ISP-GigabitEthernet0/0]des <connect to FW1> [ISP-GigabitEthernet0/0]ip address 202.1.100.1 30 [ISP-GigabitEthernet0/0]quit [ISP]int gi 0/1 [ISP-GigabitEthernet0/1]des <connect to FW2> [ISP-GigabitEthernet0/1]ip address 202.2.100.1 30 [ISP-GigabitEthernet0/1]quit [ISP]ip route-static 202.1.100.0 255.255.255.252 202.1.100.2 [ISP]ip route-static 202.2.100.0 255.255.255.252 202.2.100.2
FW1:
<H3C>sys System View: return to User View with Ctrl+Z. [H3C]sysname FW1 [FW1]int gi 1/0/3 [FW1-GigabitEthernet1/0/3]ip address 192.168.1.1 24 [FW1-GigabitEthernet1/0/3]quit [FW1]int gi 1/0/2 [FW1-GigabitEthernet1/0/2]des <connect to ISP> [FW1-GigabitEthernet1/0/2]ip address 202.1.100.2 30 [FW1-GigabitEthernet1/0/2]quit [FW1]ip route-static 0.0.0.0 0.0.0.0 202.1.100.1 [FW1]security-zone name Trust [FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3 [FW1-security-zone-Trust]quit [FW1]security-zone name Untrust [FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2 [FW1-security-zone-Untrust]quit [FW1]acl basic 2001 [FW1-acl-ipv4-basic-2001]rule 0 permit source any [FW1-acl-ipv4-basic-2001]quit [FW1] [FW1]zone-pair security source trust destination untrust [FW1-zone-pair-security-Trust-Untrust]packet-filter 2001 [FW1-zone-pair-security-Trust-Untrust]quit [FW1] [FW1]zone-pair security source untrust destination trust [FW1-zone-pair-security-Untrust-Trust]packet-filter 2001 [FW1-zone-pair-security-Untrust-Trust]quit [FW1] [FW1]zone-pair security source trust destination local [FW1-zone-pair-security-Trust-Local]packet-filter 2001 [FW1-zone-pair-security-Trust-Local]quit [FW1] [FW1]zone-pair security source local destination trust [FW1-zone-pair-security-Local-Trust]packet-filter 2001 [FW1-zone-pair-security-Local-Trust]quit [FW1] [FW1]zone-pair security source untrust destination local [FW1-zone-pair-security-Untrust-Local]packet-filter 2001 [FW1-zone-pair-security-Untrust-Local]quit [FW1] [FW1]zone-pair security source local destination untrust [FW1-zone-pair-security-Local-Untrust]packet-filter 2001 [FW1-zone-pair-security-Local-Untrust]quit
FW2:
<H3C>sys System View: return to User View with Ctrl+Z. [H3C]sysname FW2 [FW2]int gi 1/0/3 [FW2-GigabitEthernet1/0/3]ip address 172.16.1.1 24 [FW2-GigabitEthernet1/0/3]quit [FW2-GigabitEthernet1/0/2]des <connect to ISP> [FW2-GigabitEthernet1/0/2]ip address 202.2.100.2 30 [FW2-GigabitEthernet1/0/2]quit [FW2]ip route-static 0.0.0.0 0.0.0.0 202.2.100.1 [FW2]security-zone name Untrust [FW2-security-zone-Untrust]import interface GigabitEthernet 1/0/2 [FW2-security-zone-Untrust]quit [FW2]security-zone name Trust [FW2-security-zone-Trust]import interface GigabitEthernet 1/0/3 [FW2-security-zone-Trust]quit [FW2]acl basic 2001 [FW2-acl-ipv4-basic-2001]rule 0 permit source any [FW2-acl-ipv4-basic-2001]quit [FW2] [FW2]zone-pair security source trust destination untrust [FW2-zone-pair-security-Trust-Untrust]packet-filter 2001 [FW2-zone-pair-security-Trust-Untrust]quit [FW2] [FW2]zone-pair security source untrust destination trust [FW2-zone-pair-security-Untrust-Trust]packet-filter 2001 [FW2-zone-pair-security-Untrust-Trust]quit [FW2] [FW2]zone-pair security source trust destination local [FW2-zone-pair-security-Trust-Local]packet-filter 2001 [FW2-zone-pair-security-Trust-Local]quit [FW2] [FW2]zone-pair security source local destination trust [FW2-zone-pair-security-Local-Trust]packet-filter 2001 [FW2-zone-pair-security-Local-Trust]quit [FW2] [FW2]zone-pair security source untrust destination local [FW2-zone-pair-security-Untrust-Local]packet-filter 2001 [FW2-zone-pair-security-Untrust-Local]quit [FW2] [FW2]zone-pair security source local destination untrust [FW2-zone-pair-security-Local-Untrust]packet-filter 2001 [FW2-zone-pair-security-Local-Untrust]quit
第一阶段测试:
所有PC都填写IP地址:
子网1的终端无法PING通到ISP:
子网2的终端无法PING通到ISP:
第二阶段调试(IPV4 OVER IPV4关键配置点):
FW1:
[FW1]int Tunnel 0 mode ipv4-ipv4 [FW1-Tunnel0]ip address 123.0.0.1 30 [FW1-Tunnel0]source GigabitEthernet 1/0/2 [FW1-Tunnel0]destination 202.2.100.2 [FW1-Tunnel0]quit [FW1]ip route-static 172.16.1.0 255.255.255.0 123.0.0.2 [FW1]security-zone name Untrust [FW1-security-zone-Untrust]import interface Tunnel 0 [FW1-security-zone-Untrust]quit
FW2:
[FW2]int Tunnel 0 mode ipv4-ipv4 [FW2-Tunnel0]ip address 123.0.0.2 30 [FW2-Tunnel0]source 202.2.100.2 [FW2-Tunnel0]description 202.1.100.2 [FW2-Tunnel0]quit [FW2]security-zone name Untrust [FW2-security-zone-Untrust]import interface Tunnel 0 [FW2-security-zone-Untrust]quit [FW2]ip route-static 192.168.1.0 255.255.255.0 123.0.0.1
第二阶段测试:
子网1的终端可以PING通子网2的终端:
子网1的终端依然无法PING通ISP:
子网2的终端可以PING通子网1的终端:
子网2的终端依然无法PING通ISP:
根据测试结果,说明子网1和子网2的终端可以跨越ISP建立隧道并实现互通。
查看FW1的隧道状态和路由表有隧道的路由:
查看FW2的隧道状态及路由表有隧道的路由:
