链接:https://pan.baidu.com/s/1ofvfE9por7tbU_zOY0nhxQ
提取码:6666
地址表
设备 |
接口 |
ip |
掩码 |
AR1 |
G0/0/0 |
192.168.1.2 |
255.255.255.252 |
S1/0/0 |
100.1.1.1 |
255.255.255.252 |
|
AR2 |
G0/0/0 |
192.168.50.254 |
255.255.255.0 |
S1/0/0 |
100.1.1.6 |
255.255.255.252 |
|
AR3 |
G0/0/0 |
192.168.60.254 |
255.255.255.0 |
S1/0/0 |
100.1.1.10 |
255.255.255.252 |
|
ISP |
S0/0/0 |
100.1.1.2 |
255.255.255.252 |
S0/0/1 |
100.1.1.5 |
255.255.255.252 |
|
S0/0/2 |
100.1.1.9 |
255.255.255.252 |
|
SW1 |
vlanif10 |
192.168.10.254 |
255.255.255.0 |
vlanif20 |
192.168.20.254 |
255.255.255.0 |
|
vlanif100 |
192.168.100.254 |
255.255.255.0 |
|
Vlanif101 |
192.168.1.1 |
255.255.255.252 |
|
SW2 |
G0/0/1 |
trunk |
vlan100 |
G0/0/2 |
trunk |
vlan100 |
|
E0/0/1 |
access |
vlan100 |
|
E0/0/2 |
access |
vlan100 |
|
SW3 |
G0/0/1 |
trunk |
vlan10 |
E0/0/2 |
access |
vlan10 |
|
E0/0/3 |
access |
vlan10 |
|
SW4 |
G0/0/1 |
trunk |
vlan20 |
E0/0/2 |
access |
vlan20 |
|
E0/0/3 |
access |
vlan20 |
|
SW6 |
G0/0/1 |
trunk |
vlan50 |
E0/0/2 |
access |
vlan50 |
|
E0/0/3 |
access |
vlan50 |
|
SW7 |
G0/0/1 |
trunk |
vlan60 |
E0/0/2 |
access |
vlan60 |
|
E0/0/3 |
access |
vlan60 |
昆明总部ips配置
[KM-AR2220-AR1]acl number 3000 //配置昆明-沈阳的ips感兴趣流
[KM-AR2220-AR1-acl-adv-3000] rule 5 permit ip source 192.168.10.0 0.0.0.255 des
tination 192.168.50.0 0.0.0.255
[KM-AR2220-AR1-acl-adv-3000] rule 10 permit ip source 192.168.20.0 0.0.0.255 des
tination 192.168.50.0 0.0.0.255
[KM-AR2220-AR1]acl number 3001 //配置昆明-上海的ips感兴趣流
[KM-AR2220-AR1-acl-adv-3001] rule 5 permit ip source 192.16.10.0 0.0.0.255 des
tination 192.168.60.0 0.0.0.255
[KM-AR2220-AR1-acl-adv-3001] rule 10 permit ip source 192.168.20.0 0.0.0.255 des
tination 192.168.60.0 0.0.0.255
[KM-AR2220-AR1]ipsec proposal tran1 //配置IKE安全提议
[KM-AR2220-AR1-ipsec-proposal-tran1] esp authentication-algorithm KMa2-256 //配置认证算法
[KM-AR2220-AR1-ipsec-proposal-tran1] esp encryption-algorithm aes-128 //配置加密算法
[KM-AR2220-AR1-ipsec-proposal-tran1]q
[KM-AR2220-AR1]ike proposal 5 //配置ike安全提议
[KM-AR2220-AR1-ike-proposal-5] encryption-algorithm aes-cbc-128 //配置认证算法
[KM-AR2220-AR1-ike-proposal-5] dh group14 //配置IKE密钥协商时所使用的DH组
[KM-AR2220-AR1-ike-proposal-5]q
[KM-AR2220-AR1]ike peer SY v1 //配置ike邻居
[KM-AR2220-AR1-ike-peer-SY] pre-KMared-key cipher huawei //配置密码
[KM-AR2220-AR1-ike-peer-SY] ike-proposal 5 //关联ike安全提议
[KM-AR2220-AR1-ike-peer-SY] remote-address 100.1.1.6 //对端隧道建立地址
[KM-AR2220-AR1-ike-peer-SY]q
[KM-AR2220-AR1]ike peer KM v1
[KM-AR2220-AR1-ike-peer-KM] pre-KMared-key cipher huawei
[KM-AR2220-AR1-ike-peer-KM] ike-proposal 5
[KM-AR2220-AR1-ike-peer-KM] remote-address 100.1.1.10
[KM-AR2220-AR1-ike-peer-KM]q
[KM-AR2220-AR1]ipsec policy isp 10 isakmp //配置ips策略
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-10] security acl 3000 //绑定兴趣流
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-10] ike-peer SY //绑定ike邻居
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-10] proposal tran1 //绑定安全提议
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-10]Q
[KM-AR2220-AR1]ipsec policy isp 11 isakmp
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-11] security acl 3001
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-11] ike-peer KM
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-11] proposal tran1
[KM-AR2220-AR1-ipsec-policy-isakmp-isp-11]Q
[KM-AR2220-AR1]inte s1/0/0
[KM-AR2220-AR1-Serial1/0/0]ipsec po isp //接口试能ipsec
交流v:Ensp888