2023年网络建设与运维国赛答案解析
2023年网络建设与运维国赛正式赛题答案解析
(二)交换配置
SW1
port-group 1
!
Interface Ethernet1/0/22
switchport mode trunk
switchport trunk allowed vlan 11-15
port-group 1 mode active
!
SW2
port-group 1
!
Interface Ethernet1/0/22
switchport mode trunk
switchport trunk allowed vlan 21-25
port-group 1 mode passive
!
2.SW1 和 SW2 之间利用三条裸光缆实现互通,其中一条裸光缆承载三层 IP 业务、一条裸光缆承载 VPN 业务、一条裸光缆承载二层业务。
用相关技术分别实现财务 1 段、财务 2 段业务路由表与其它业务路由表隔离,财务业务 VPN 实例名称为 Finance,RD 为 1:1。承载二层业务的只有一条裸光缆通道,配置相关技术,方便后续链路扩容与冗余备份,编号为 1,用 LACP 协议,SW1 为 active,SW2 为 passive;采用目的、源 IP 进行实现流量负载分担。
SW1
load-balance dst-src-ip //采用目的、源 IP
!
Interface Ethernet1/0/23
switchport access vlan 1023
!
Interface Ethernet1/0/24
switchport access vlan 1024
!
ip vrf Finance
rd 1:1
!
interface Vlan1023 //三层业务
ip address 10.4.255.1 255.255.255.252
!
interface Vlan1024 //承载VPN业务
ip vrf forwarding Finance
ip address 10.4.255.1 255.255.255.252 //注意,如果在绑定VRF之前已有IPv4地址,绑定后会被删除
!
interface Vlan14 VPN财务业务
ip vrf forwarding Finance
ipv6 address 2001:10:4:14::1/64
ip address 10.4.14.1 255.255.255.0
!
port-group 1
!
Interface Ethernet1/0/22
switchport mode trunk
switchport trunk allowed vlan 11-15
port-group 1 mode active 主动模式
!
sw2
load-balance dst-src-ip
!
Interface Ethernet1/0/23
switchport access vlan 1023
!
Interface Ethernet1/0/24
switchport access vlan 1024
!
ip vrf Finance
rd 1:1
!
interface Vlan1023
ip address 10.4.255.2 255.255.255.252
!
interface Vlan1024
ip vrf forwarding Finance
ip address 10.4.255.2 255.255.255.252
!
interface Vlan24
ip vrf forwarding Finance
ipv6 address 2001:10:4:24::1/64
ip address 10.4.24.1 255.255.255.0
!
port-group 1
!
Interface Ethernet1/0/22
switchport mode trunk
switchport trunk allowed vlan 21-25
port-group 1 mode passive 被动模式
!
3.为方便后续验证与测试,SW3 的 E1/0/22 连接其他合适设备的一个接口,配置为 trunk,允许 Vlan31-34、110、120 通过。
这里可以连接到SW1的1/0/1口以测试ip dhcp snooping
4.将 SW3 模拟办事处交换机,实现与集团其它业务路由表隔离,办事处路由表 VPN 实例名称为 Office,RD 为 1:1。将 SW3 模拟为 Internet交换机,实现与集团其它业务路由表隔离,Internet 路由表 VPN 实例名称为 Internet,RD 为 2:2。
SW3
ip vrf Office
rd 1:1
!
ip vrf Internet
rd 2:2
!
interface Vlan110 集团办事处产品1段
ip vrf forwarding Office
ipv6 address 2001:10:4:110::1/64
ip address 10.4.110.1 255.255.255.0
!
interface Vlan120 集团办事处营销1段
ip vrf forwarding Office
ipv6 address 2001:10:4:120::1/64
ip address 10.4.120.1 255.255.255.0
!
interface Vlan1015
ip vrf forwarding Office
ip address 10.4.255.30 255.255.255.252
!
interface Vlan1017
ip vrf forwarding Internet
ip address 200.200.200.1 255.255.255.252
!
interface Vlan1018
ip vrf forwarding Internet
ip address 200.200.200.5 255.255.255.252
!
interface Loopback2
ip vrf forwarding Office
ipv6 address 2001:10:4:3::2/128
ip address 10.4.3.2 255.255.255.255
!
5.SW1 配置 SNMP,引擎 id 分别为 1000;创建组 GroupSkills,采用最高安全级别,配置组的读、写视图分别为:Skills_R、Skills_W;创建认证用户为 UserSkills,采用 aes 算法进行加密,密钥为 Key-1122,哈希算法为 sha,密钥为 Key-1122;当设备有异常时,需要用本地的环回地址 Loopback1 发送 v3 Trap 消息至集团网管服务器10.4.15.120、2001:10:4:15::120,采用最高安全级别;当法务部门的用户端口发生 updown 事件时禁止发送 trap 消息至上述集团网管服务器。
SW1
snmp-server enable
snmp-server trap-source 10.4.1.1
snmp-server trap-source 2001:10:4:1::1
snmp-server engineid 1000
snmp-server user UserSkills GroupSkills authPriv aes b693dfa497e63a03e2b4a1d3709b0723 auth sha b693dfa497e63a03e2b4a1d3709b0723f62da73a
snmp-server group GroupSkills authpriv read Skills_R write Skills_W
snmp-server host 2001:10:4:15::120 v3 authpriv UserSkills
snmp-server host 10.4.15.120 v3 authpriv UserSkills
!
Interface Ethernet1/0/3
no switchport updown notification enable
switchport access vlan 13
!
6.对 SW1 与 FW1 互连流量镜像到 SW1 E1/0/1,会话列表为 1。
SW1
monitor session 1 source interface Ethernet1/0/19 tx
monitor session 1 source interface Ethernet1/0/19 rx
monitor session 1 destination interface Ethernet1/0/1
!
7.SW1 和 SW2 E1/0/21-28 启用单向链路故障检测,当发生该故障时,端口标记为 errdisable 状态,自动关闭端口,经过 1 分钟后,端口自动重启;发送 Hello 报文时间间隔为 15s;
SW1
uldp enable
uldp recovery-time 60
uldp hello-interval 15
uldp manual-shutdown
uldp aggressive-mode
!
SW2
uldp enable
uldp recovery-time 60
uldp hello-interval 15
uldp manual-shutdown
uldp aggressive-mode
!
8.SW1 和 SW2 所有端口启用链路层发现协议,更新报文发送时间间隔为 20s,老化时间乘法器值为 5,Trap 报文发送间隔为 10s,配置三条裸光缆端口使能 Trap 功能。
SW1
lldp enable
lldp msgTxHold 5
lldp tx-interval 20
lldp notification interval 10
!
Interface Ethernet1/0/22
lldp trap enable
!
Interface Ethernet1/0/23
lldp trap enable
!
Interface Ethernet1/0/24
lldp trap enable
!
SW2
lldp enable
lldp msgTxHold 5
lldp tx-interval 20
lldp notification interval 10
!
Interface Ethernet1/0/22
lldp trap enable
!
Interface Ethernet1/0/23
lldp trap enable
!
Interface Ethernet1/0/24
lldp trap enable
!
(三)路由调试
1.配置所有设备主机名,名称见“网络拓扑”。启用所有设备的 ssh 服务,用户名和明文密码均为 admin;配置所有设备 ssh 连接超时为 9分钟,console 连接超时为 30 分钟。
SW
exec-timeout 30 0
!
ssh-server enable
ssh-server timeout 540
RT
line console 0
exec-timeout 1800
!
!
ip sshd timeout 540
ip sshd enable
!
FW
ssh timeout 9
console timeout 30
2.配置所有设备的时区为 GMT+08:00。调整 SW1 时间为实际时间,SW1配置为 ntp server,其他设备为 ntp client,请求报文时间间隔 1分钟,用 SW1 Loopback1 IPv6 地址作为 ntp server 地址。
SW1
clock timezone GMT add 8 0
!
ntp enable
ntp-service refclock-master 1
!
SW2-3;AC
clock timezone GMT add 8 0
!
ntp enable
ntp syn-interval 60
ntp server 2001:10:4:1::1
!
RT1
time-zone GMT 8 0
ntp query-interval 60
ntp server 2001:10:4:1::1
!
FW
clock zoon GMT 8 0
ntp query-interval 60
ntp server 2001:10:4:1::1
### 3.配置接口 IPv4 地址和 IPv6 地址,互联接口 IPv6 地址用本地链路地址。FW1 和 FW2 接口仅启用 ping 功能以及 Loopback1 的 ssh 功能。
RT
ipv6 unicast-routing 開啓IPV6本地鏈路地址
接口
ipv6 enable
FW
ipv6 enable
接口
man ping
man ssh
4.SW2 配置 DHCPv4 和 DHCPv6,分别为 Vlan11、Vlan21、Vlan130、Vlan140、Vlan150 分配地址。DHCPv4 地址池名称分别为 PC1、PC2、AP1、POOLv4-VLAN11、POOLv4-VLAN21、POOLv4-VLAN130POOLv4-VLAN140 、POOLv4-VLAN150 ,排除网关, DNS 为 10.4.210.101 和10.4.220.101。DHCPv6 地址池名称分别为 POOLv6-VLAN11、POOLv6-VLAN21、POOLv6-VLAN130、POOLv6-VLAN140、POOLv6-VLAN150,DHCPv6地址池用网络前缀表示,排除网关,DNS 为 2400:3200::1。PC1 保留地址 10.4.11.9(DHCPv4 地址池名称为 PC1)和 2001:10:4:11::9,PC2保留地址 10.4.21.9(DHCPv4 地址池名称为 PC2)和 2001:10:4:21::9,AP1 保 留 地 址 10.4.130.9 ( DHCPv4 地 址 池 名 称 为 AP1 ) 和2001:10:4:130::9。SW1、AC1 中继地址为 SW2 Loopback1 地址。SW1启用 DHCPv4 和 DHCPv6 snooping 功能,如果 E1/0/1 连接 DHCPv4 服务器,则关闭端口,恢复时间为 10 分钟。
SW1
service dhcp
!
ip forward-protocol udp bootps
!
ip dhcp snooping enable
!
service dhcpv6
!
savi enable
savi ipv6 dhcp-only enable
!
Interface Ethernet1/0/1
ip dhcp snooping action shutdown recovery 600
!
interface Vlan11
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ip helper-address 10.4.2.1
ipv6 dhcp relay destination 2001:10:4:2::1
!
SW2
service dhcp
!
ip forward-protocol udp bootps
!
ip dhcp pool POOLv4-VLAN11
network-address 10.4.11.0 255.255.255.0
default-router 10.4.11.1
dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN21
network-address 10.4.21.0 255.255.255.0
default-router 10.4.21.1
dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN130
network-address 10.4.130.0 255.255.255.0
default-router 10.4.130.1
dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN140
network-address 10.4.140.0 255.255.255.0
default-router 10.4.140.1
dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN150
network-address 10.4.150.0 255.255.255.0
default-router 10.4.150.1
dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool AP1
host 10.4.130.9 255.255.255.0
hardware-address 00-03-0F-D9-CD-C0
!
ip dhcp pool PC1
host 10.4.11.9 255.255.255.0
hardware-address C0-18-03-BB-9F-94
!
ip dhcp pool PC2
host 10.4.21.9 255.255.255.0
hardware-address 98-0E-24-AB-83-F1
!
service dhcpv6
!
ipv6 dhcp pool POOLv6-VLAN11
network-address 2001:10:4:11::1 64
static-binding 2001:10:4:11::9 c0-18-03-bb-9f-94
excluded-address 2001:10:4:11::1
dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN21
network-address 2001:10:4:21::1 64
static-binding 2001:10:4:21::9 98-0e-24-ab-83-f1
excluded-address 2001:10:4:21::1
dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN130
network-address 2001:10:4:130::1 64
static-binding 2001:10:4:130::9 00-03-0f-d9-cd-c0
excluded-address 2001:10:4:130::1
dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN140
network-address 2001:10:4:140::1 64
excluded-address 2001:10:4:140::1
dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN150
network-address 2001:10:4:150::1 64
excluded-address 2001:10:4:150::1
dns-server 2400:3200::1
!
5.SW1、SW2、SW3、RT1 以太链路、RT2 以太链路、FW1、FW2、AC1 之间运行 OSPFv2 和 OSPFv3 协议(路由模式发布网络用网络地址,按照IP 地址从小到大的顺序发布。每个 prefix-list 的序号从 5 开始,按照 IP 地址从小到大的顺序递增 5;route-map 的序号从 10 开始,递增 10,route-map 名称与 prefix-list 名称相同。每个 ACL 序号从10 开始,按照 IP 地址从小到大的顺序递增 10)。
SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv2 和 OSPFv3 协议,process1,area 0,分别发布 Loopback1 地址路由和产品路由,FW1 通告 type1默认路由。
SW1
router ospf 1
ospf router-id 10.4.1.1
network 10.4.1.1/32 area 0
network 10.4.11.0/24 area 0
network 10.4.255.0/30 area 0
network 10.4.255.4/30 area 0
network 10.4.255.12/30 area 0
!
router ipv6 ospf 1
router-id 10.4.1.1
!
interface Loopback1
ipv6 router ospf area 0 tag 1
!
interface Vlan1019
ipv6 router ospf area 0 tag 1
!
interface Vlan1020
ipv6 router ospf area 0 tag 1
!
interface Vlan1023
ipv6 router ospf area 0 tag 1
!
interface Vlan11
ipv6 router ospf area 0 tag 1
!
SW2
router ospf 1
ospf router-id 10.4.2.1
network 10.4.2.1/32 area 0
network 10.4.21.0/24 area 0
network 10.4.255.0/30 area 0
network 10.4.255.8/30 area 0
network 10.4.255.20/30 area 0
!
router ipv6 ospf 1
router-id 10.4.2.1
!
interface Loopback1
ipv6 router ospf area 0 tag 1
!
interface Vlan1019
ipv6 router ospf area 0 tag 1
!
interface Vlan1020
ipv6 router ospf area 0 tag 1
!
interface Vlan1023
ipv6 router ospf area 0 tag 1
!
interface Vlan21
ipv6 router ospf area 0 tag 1
!
SW3
router ospf 1
ospf router-id 10.4.3.1
network 10.4.3.1/32 area 0
network 10.4.31.0/24 area 0
network 10.4.255.4/30 area 0
network 10.4.255.8/30 area 0
!
router ipv6 ospf 1
router-id 10.4.3.1
!
interface Loopback1
ipv6 router ospf area 0 tag 1
!
interface Vlan1019
ipv6 router ospf area 0 tag 1
!
interface Vlan1020
ipv6 router ospf area 0 tag 1
!
interface Vlan31
ipv6 router ospf area 0 tag 1
!
RT1
router ospf 1
router-id 10.4.5.1
network 10.4.5.1 255.255.255.255 area 0
network 10.4.255.32 255.255.255.252 area 0
network 10.4.255.16 255.255.255.252 area 0
network 10.4.255.20 255.255.255.252 area 0
!
router ospfv3 1
router-id 10.4.5.1
!
interface Loopback1
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/0
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/1
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/2
ipv6 enable
ipv6 ospf 1 area 0
!
RT2
router ospf 1
router-id 10.4.6.1
network 10.4.6.1 255.255.255.255 area 0
network 10.4.255.32 255.255.255.252 area 0
!
router ospfv3 1
router-id 10.4.6.1
!
interface Loopback1
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/0
ipv6 enable
ipv6 ospf 1 area 0
!
FW1
router ospf 1
router-id 10.4.7.1
default-information originate type 1
network 10.4.7.1/32 area 0
network 10.4.255.12/30 area 0
network 10.4.255.16/30 area 0
exit
ipv6 router ospf 1
router-id 10.4.7.1
exit
interface loopback1
ipv6 enable
ipv6 ospf 1 area 0
exit
interface ethernet0/1
ipv6 enable
ipv6 ospf 1 area 0
exit
interface ethernet0/2
ipv6 enable
ipv6 ospf 1 area 0
exit
RT2 与 AC1 之间运行 OSPFv2 协议,process 1,area 1 nssa no-summary;AC1 发布 Loopback1 地址路由、管理、产品和营销路由,用prefix-list 重发布 Loopback3,prefix-list 名称为 AC1-Loopback3-IPv4。
RT2 与 AC1 之间运行 OSPFv3 协议,process 1,area 1 stub no-summary;AC1 发布 Loopback1 地址路由、管理、产品和营销路由。
RT2
router ospf 1
network 10.4.255.44 255.255.255.252 area 1
area 1 nssa no-summary
!
router ospfv3 1
area 1 stub no-summary
!
interface GigaEthernet0/1
ipv6 enable
ipv6 ospf 1 area 1
!
AC1
ip prefix-list ACL-Loopback3-IPv4 seq 5 permit 10.4.4.3/32
!
route-map ACL-Loopback3-IPv4 permit 10
match ip address prefix-list ACL-Loopback3-IPv4
!
router ospf 1
ospf router-id 10.4.4.1
area 1 nssa no-summary
network 10.4.4.1/32 area 1
network 10.4.130.0/24 area 1
network 10.4.140.0/24 area 1
network 10.4.150.0/24 area 1
network 10.4.255.44/30 area 1
redistribute connected route-map ACL-Loopback3-IPv4
!
router ipv6 ospf 1
router-id 10.4.4.1
area 1 stub no-summary
!
interface Loopback1
ipv6 router ospf area 1 tag 1
!
interface Vlan1001
ipv6 router ospf area 1 tag 1
!
interface Vlan130
ipv6 router ospf area 1 tag 1
!
interface Vlan140
ipv6 router ospf area 1 tag 1
!
interface Vlan150
ipv6 router ospf area 1 tag 1
!
RT1、FW2、SW3 模拟办事处之间运行 OSPFv2 和 OSPFv3 协议,process2,area 2。SW3 模拟办事处发布 Loopback2、产品和营销路由。FW2发布 Loopback1 路由。RT1 发布 Loopback4 路由,向该区域通告 type1默认路由;RT1 用 prefix-list 匹配 SW3 模拟办事处 Loopback2 和产品路由、FW2 Loopback1 路由(prefix-list 名称分别为 SW3-FW2-IPv4和 SW3-FW2-IPv6)、RT1 与 FW2 直连 IPv4 路由(prefix-list 名称为RT1-FW2-IPv4),以上路由重发布到 process 1。
SW3 Office
router ospf 2 vrf Office
ospf router-id 10.4.3.2
network 10.4.3.2/32 area 2
network 10.4.110.0/24 area 2
network 10.4.120.0/24 area 2
network 10.4.255.28/30 area 2
!
router ipv6 ospf 2 vrf Office
router-id 10.4.3.2
!
interface Loopback2
ip vrf forwarding Office
ipv6 address 2001:10:4:3::2/128
ipv6 router ospf area 2 tag 2
ip address 10.4.3.2 255.255.255.255
!
interface Vlan1015
ip vrf forwarding Office
ipv6 router ospf area 2 tag 2
ip address 10.4.255.30 255.255.255.252
!
interface Vlan110
ip vrf forwarding Office
ipv6 address 2001:10:4:110::1/64
ipv6 router ospf area 2 tag 2
ip address 10.4.110.1 255.255.255.0
!
interface Vlan120
ip vrf forwarding Office
ipv6 address 2001:10:4:120::1/64
ipv6 router ospf area 2 tag 2
ip address 10.4.120.1 255.255.255.0
!
FW2
ip vrouter "trust-vr"
router ospf 2
router-id 10.4.8.1
network 10.4.8.1/32 area 2
network 10.4.255.24/30 area 2
network 10.4.255.28/30 area 2
exit
ipv6 router ospf 2
router-id 10.4.8.1
exit
exitinterface loopback1
zone "trust"
ipv6 enable
ipv6 ospf 2 area 2
exit
interface loopback1
zone "trust"
ipv6 enable
ipv6 ospf 2 area 2
exit
interface ethernet0/1
zone "dmz"
ipv6 enable
ipv6 ospf 2 area 2
exit
interface ethernet0/2
zone "trust"
ipv6 enable
ipv6 ospf 2 area 2
exit
RT1
ip route default Null0 //这里必须要加黑洞路由,否则无法生成OSPF默认路由
route-map SW3-FW2-IPv6 10 permit
match ipv6 address prefix-list SW3-FW2-IPv6
!
route-map SW3-FW2-IPv4 10 permit
match ip address prefix-list SW3-FW2-IPv4
!
ip prefix-list SW3-FW2-IPv4 seq 5 permit 10.4.3.2/32
ip prefix-list SW3-FW2-IPv4 seq 10 permit 10.4.255.24/30
!
ipv6 prefix-list SW3-FW2-IPv6 seq 5 permit 2001:10:4:3::2/128
ipv6 prefix-list SW3-FW2-IPv6 seq 10 permit 2001:10:4:110::/64
!
router ospf 2
router-id 10.4.5.4
network 10.4.5.4 255.255.255.255 area 2
network 10.4.255.24 255.255.255.252 area 2
redistribute ospf 1
default-information originate metric-type 1
!
router ospfv3 2
router-id 10.4.5.4
redistribute ospf 1
default-information originate metric-type 1
!
router ospf 1
redistribute ospf 2 route-map SW3-FW2-IPv4
!
router ospfv3 1
redistribute ospf 2 route-map SW3-FW2-IPv6
!
6.RT1 串行链路、RT2 串行链路、FW1、AC1 之间分别运行 RIP 和 RIPng协议,分别发布 Loopback2 地址路由(FW1 的 RIPng 发布路由时用接口名称)。RT1 配置 offset 值为 3 的路由策略,实现 RT1/S1/0-RT2/S1/1 为主链路,RT1/S1/1-RT2/S1/0 为备份链路,IPv4 的 ACL 名称为 ACL-RIP-IPv4,IPv6 的 ACL 名称为 ACL-RIP-IPv6。RT1 的 S1/0与 RT2 的 S1/1 之间采用 chap 双向认证,用户名为对端设备名称,密码为 Key-1122。
建立串口链路
RT1
aaa authentication login default none
aaa authentication enable default none 取消登录认证
aaa authentication ppp default local PPP认证方式本地
!
username RT2 password 0 Key-1122
!
interface Serial1/0
ip address 10.4.255.37 255.255.255.252
encapsulation ppp
ppp authentication chap
ppp chap hostname RT1
ppp chap password 0 Key-1122
physical-layer speed 2048000
ipv6 enable
!
interface Serial1/1
ip address 10.4.255.41 255.255.255.252
encapsulation ppp
ipv6 enable
!
RT2
aaa authentication login default none
aaa authentication enable default none
aaa authentication ppp default local
!
username RT71 password 0 Key-1122
!
interface Serial1/0
ip address 10.4.255.42 255.255.255.252
encapsulation ppp
ppp authentication chap
ppp chap hostname RT2
ppp chap password 0 Key-1122
physical-layer speed 2048000
ipv6 enable
!
interface Serial1/1
ip address 10.4.255.38 255.255.255.252
encapsulation ppp
ipv6 enable
!
RIP
RT1
ip access-list standard ACL-RIP-IPv4
permit any sequence 10
!
ipv6 access-list ACL-RIP-IPv6
permit ipv6 any any sequence 10
!
router rip 1
offset Serial1/1 in ACL-RIP-IPv4 3
offset Serial1/1 out ACL-RIP-IPv4 3
!
router ripng 1
offset Serial1/1 in ACL-RIP-IPv6 3
offset Serial1/1 out ACL-RIP-IPv6 3
!
interface Loopback2
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
interface GigaEthernet0/1
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
interface Serial1/0
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
interface Serial1/1
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
RT2
router rip 1
!
router ripng 1
!
interface Loopback2
ip address 10.4.6.2 255.255.255.255
ipv6 enable
ipv6 address 2001:10:4:6::2/128
ip rip 1 enable
*!
interface GigaEthernet0/1
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
interface Serial1/0
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
interface Serial1/1
ipv6 enable
ip rip 1 enable
ipv6 rip 1 enable
!
AC1
router rip
network 10.4.4.2/32
network 10.4.255.44/30
!
router ipv6 rip
!
interface Loopback2
ipv6 router rip
!
interface Vlan1001
ipv6 router rip
!
7.RT1 以太链路(物理速率为 2048000)、RT2 以太链路、FW1 之间运行 ISIS 协议,instance 1,实现 Loopback3 之间 IPv4 互通和 IPv6互 通 。 RT1 、 RT2 、 FW1 的 NET 分 别 为 10.0000.0000.0005.00 、 10.0000.0000.0006.00 、 10.0000.0000.0007.00 , 路 由 器 类 型 是Level-2,互联接口网络类型为点到点。
RT1
router isis 1
is-type level-2
net 10.0000.0000.0005.00
!
interface Loopback3
ipv6 enable
ip router isis 1
ipv6 router isis 1
!
interface GigaEthernet0/0
ipv6 enable
ip router isis 1
ipv6 router isis 1
isis network point-to-point
isis circuit-type level-2
!
interface GigaEthernet0/1
ipv6 enable
ip router isis 1
ipv6 router isis 1
isis network point-to-point
isis circuit-type level-2
!
FW1
router isis
net 10.0000.0000.0007.00
is-type level-2-only
exit
exit
interface loopback3
ipv6 enable
isis enable
isis ipv6 enable
exit
interface ethernet0/2
ipv6 enable
isis enable
isis circuit-type level-2-only
isis network point-to-point
isis ipv6 enable
exit
RT2
router isis 1
is-type level-2
net 10.0000.0000.0006.00
!
interface Loopback3
ipv6 enable
ip router isis 1
ipv6 router isis 1
!
interface GigaEthernet0/0
ipv6 enable
ip router isis 1
ipv6 router isis 1
isis network point-to-point
isis circuit-type level-2
!
8.SW1、SW2、SW3、RT1、RT2 之间运行 BGP 协议,SW1、SW2、RT1 AS号 65001、RT2 AS 号 65002、SW3 AS 号 65003。
SW1、SW2、SW3、RT1、RT2 之间通过 Loopback1 建立 IPv4 和 IPv6 BGP邻居。
SW1 和 SW2 之间财务通过 Loopback2 建立 IPv4 和 IPv6 BGP 邻居。SW1和 SW2 的 Loopback2 IPv4 互通采用静态路由;IPv6 互通采用 OSPFv3,process 2,area 2。
SW1、SW2、SW3 分别只发布营销、法务、人力、财务等 IPv4 和 IPv6路由;RT1 发布办事处营销 IPv4 和 IPv6 路由到 BGP;RT2 发布分公司营销 IPv4 和 IPv6 路由到 BGP。
SW1
router bgp 65001
network 10.4.12.0/24
network 10.4.13.0/24
network 10.4.15.0/24
neighbor 10.4.2.1 remote-as 65001
neighbor 10.4.2.1 update-source Loopback1
neighbor 10.4.2.1 next-hop-self
neighbor 10.4.3.1 remote-as 65003
neighbor 10.4.3.1 ebgp-multihop 255
neighbor 10.4.3.1 update-source Loopback1
neighbor 2001:10:4:2::1 remote-as 65001
neighbor 2001:10:4:2::1 update-source Loopback1
no neighbor 2001:10:4:2::1 activate
neighbor 2001:10:4:3::1 remote-as 65003
neighbor 2001:10:4:3::1 ebgp-multihop 255
neighbor 2001:10:4:3::1 update-source Loopback1
no neighbor 2001:10:4:3::1 activate
address-family ipv6 unicast
network 2001:10:4:12::/64
network 2001:10:4:13::/64
network 2001:10:4:15::/64
neighbor 2001:10:4:2::1 activate
neighbor 2001:10:4:3::1 activate
exit-address-family
address-family ipv4 vrf Finance
network 10.4.14.0/24
neighbor 10.4.2.2 remote-as 65001
exit-address-family
!
ip route vrf Finance 10.4.2.2/32 10.4.255.2
!
router ipv6 ospf 2 vrf Finance
router-id 10.4.1.2
!
interface Loopback2
ip vrf forwarding Finance
ipv6 router ospf area 2 tag 2
!
interface Vlan1024
ip vrf forwarding Finance
ipv6 router ospf area 2 tag 2
!
SW2
router bgp 65001
network 10.4.22.0/24
network 10.4.23.0/24
network 10.4.25.0/24
neighbor 10.4.1.1 remote-as 65001
neighbor 10.4.1.1 update-source Loopback1
neighbor 10.4.1.1 next-hop-self
neighbor 10.4.3.1 remote-as 65003
neighbor 10.4.3.1 ebgp-multihop 255
neighbor 10.4.3.1 update-source Loopback1
neighbor 10.4.5.1 remote-as 65001
neighbor 10.4.5.1 update-source Loopback1
neighbor 10.4.5.1 next-hop-self
neighbor 2001:10:4:1::1 remote-as 65001
neighbor 2001:10:4:1::1 update-source Loopback1
no neighbor 2001:10:4:1::1 activate
neighbor 2001:10:4:3::1 remote-as 65003
neighbor 2001:10:4:3::1 ebgp-multihop 255
neighbor 2001:10:4:3::1 update-source Loopback1
no neighbor 2001:10:4:3::1 activate
neighbor 2001:10:4:5::1 remote-as 65001
neighbor 2001:10:4:5::1 update-source Loopback1
no neighbor 2001:10:4:5::1 activate
address-family ipv6 unicast
network 2001:10:4:22::/64
network 2001:10:4:23::/64
network 2001:10:4:25::/64
neighbor 2001:10:4:1::1 activate
neighbor 2001:10:4:3::1 activate
neighbor 2001:10:4:5::1 activate
exit-address-family
address-family ipv4 vrf Finance
network 10.4.24.0/24
neighbor 10.4.1.2 remote-as 65001
exit-address-family
!
ip route vrf Finance 10.4.1.2/32 10.4.255.1
!
router ipv6 ospf 2 vrf Finance
router-id 10.4.2.2
!
interface Loopback2
ip vrf forwarding Finance
ipv6 router ospf area 2 tag 2
!
interface Vlan1024
ip vrf forwarding Finance
ipv6 router ospf area 2 tag 2
!
SW3
router bgp 65003
network 10.4.32.0/24
network 10.4.33.0/24
network 10.4.35.0/24
neighbor 10.4.1.1 remote-as 65001
neighbor 10.4.1.1 ebgp-multihop 255
neighbor 10.4.1.1 update-source Loopback1
neighbor 10.4.2.1 remote-as 65001
neighbor 10.4.2.1 ebgp-multihop 255
neighbor 10.4.2.1 update-source Loopback1
neighbor 2001:10:4:1::1 remote-as 65001
neighbor 2001:10:4:1::1 ebgp-multihop 255
neighbor 2001:10:4:1::1 update-source Loopback1
no neighbor 2001:10:4:1::1 activate
neighbor 2001:10:4:2::1 remote-as 65001
neighbor 2001:10:4:2::1 ebgp-multihop 255
neighbor 2001:10:4:2::1 update-source Loopback1
no neighbor 2001:10:4:2::1 activate
address-family ipv6 unicast
network 2001:10:4:32::/64
network 2001:10:4:33::/64
network 2001:10:4:35::/64
neighbor 2001:10:4:1::1 activate
neighbor 2001:10:4:2::1 activate
exit-address-family
!
RT1
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 10.4.110.0/24
neighbor 10.4.2.1 remote-as 65001
neighbor 10.4.2.1 update-source Loopback1
neighbor 10.4.2.1 next-hop-self
neighbor 10.4.6.1 remote-as 65002
neighbor 10.4.6.1 ebgp-multihop 255
neighbor 10.4.6.1 update-source Loopback1
neighbor 2001:10:4:2::1 remote-as 65001
neighbor 2001:10:4:2::1 update-source Loopback1
no neighbor 2001:10:4:2::1 activate
neighbor 2001:10:4:6::1 remote-as 65002
neighbor 2001:10:4:6::1 ebgp-multihop 255
neighbor 2001:10:4:6::1 update-source Loopback1
no neighbor 2001:10:4:6::1 activate
address-family ipv6
no synchronization
network 2001:10:4:110::/64
neighbor 2001:10:4:2::1 activate
neighbor 2001:10:4:6::1 activate
exit-address-family
!
RT2
router bgp 65002
no synchronization
bgp log-neighbor-changes
neighbor 10.4.5.1 remote-as 65001
neighbor 10.4.5.1 ebgp-multihop 255
neighbor 10.4.5.1 update-source Loopback1
neighbor 2001:10:4:5::1 remote-as 65001
neighbor 2001:10:4:5::1 ebgp-multihop 255
neighbor 2001:10:4:5::1 update-source Loopback1
no neighbor 2001:10:4:5::1 activate
address-family ipv6
no synchronization
neighbor 2001:10:4:5::1 activate
exit-address-family
!
SW3 营销分别与 SW1 和 SW2 营销 IPv4 和 IPv6 互访优先在 SW1-SW3 链路转发;SW3 法务及人力分别与 SW1 和 SW2 法务及人力 IPv4 和 IPv6互访优先在 SW2-SW3 链路转发,主备链路相互备份;在 SW3 上用prefix-list、route-map 和 BGP 路径属性进行选路,新增 AS 65000。(SW1 和 SW2 营销路由 prefix-list 名称分别为 SW1-SW2-YX-IPv4 和SW1-SW2-YX-IPv6、法务及人力路由 prefix-list 名称分别为 SW1-SW2-FWRL-IPv4 和 SW1-SW2-FWRL-IPv6;SW3 营销路由 prefix-list 名称分别为 SW3-YX-IPv4 和 SW3-YX-IPv6、法务及人力路由 prefix-list名称分别为 SW3-FWRL-IPv4 和 SW3-FWRL-IPv6)
SW3
ip prefix-list SW1-SW2-FWRL-IPv4 seq 5 permit 10.4.23.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 10 permit 10.4.13.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 15 permit 10.4.15.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 20 permit 10.4.25.1/24
ip prefix-list SW1-SW2-YX-IPv4 seq 5 permit 10.4.12.1/24
ip prefix-list SW1-SW2-YX-IPv4 seq 10 permit 10.4.22.1/24
ip prefix-list SW3-FWRL-IPv4 seq 5 permit 10.4.33.1/24
ip prefix-list SW3-FWRL-IPv4 seq 10 permit 10.4.35.1/24
ip prefix-list SW3-YX-IPv4 seq 5 permit 10.4.32.1/24
!
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 5 permit 2001:10:4:23::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 10 permit 2001:10:4:13::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 15 permit 2001:10:4:15::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 20 permit 2001:10:4:25::1/64
ipv6 prefix-list SW1-SW2-YX-IPv6 seq 5 permit 2001:10:4:12::1/64
ipv6 prefix-list SW1-SW2-YX-IPv6 seq 10 permit 2001:10:4:22::1/64
ipv6 prefix-list SW3-FWRL-IPv6 seq 5 permit 2001:10:4:35::1/64
ipv6 prefix-list SW3-FWRL-IPv6 seq 10 permit 2001:10:4:33::1/64
ipv6 prefix-list SW3-YX-IPv6 seq 5 permit 2001:10:4:32::1/64
!
route-map SW1-SW2-YX-IPv4 permit 10
match ip address prefix-list SW1-SW2-YX-IPv4
set as-path prepend 65000
set ip next-hop 10.4.1.1
!
route-map SW1-SW2-YX-IPv4 permit 20
!
route-map SW1-SW2-FWRL-IPv4 permit 10
match ip address prefix-list SW1-SW2-FWRL-IPv4
set as-path prepend 65000
set ip next-hop 10.4.2.1
!
route-map SW1-SW2-FWRL-IPv4 permit 20
!
route-map SW3-FWRL-IPv4 permit 10
match ip address prefix-list SW3-FWRL-IPv4
set as-path prepend 65000
set ip next-hop 10.4.2.1
!
route-map SW3-FWRL-IPv4 permit 20
!
route-map SW3-YX-IPv4 permit 10
match ip address prefix-list SW3-YX-IPv4
set as-path prepend 65000
set ip next-hop 10.4.1.1
!
route-map SW3-YX-IPv4 permit 20
!
route-map SW1-SW2-YX-IPv6 permit 10
match ipv6 address prefix-list SW1-SW2-YX-IPv6
set as-path prepend 65000
set ipv6 next-hop 2001:10:4:1::1
!
route-map SW1-SW2-YX-IPv6 permit 20
!
route-map SW1-SW2-FWRL-IPv6 permit 10
match ipv6 address prefix-list SW1-SW2-FWRL-IPv6
set as-path prepend 65000
set ipv6 next-hop 2001:10:4:2::1
!
route-map SW1-SW2-FWRL-IPv6 permit 20
!
route-map SW3-FWRL-IPv6 permit 10
match ipv6 address prefix-list SW3-FWRL-IPv6
set as-path prepend 65000
set ipv6 next-hop 2001:10:4:2::1
!
route-map SW3-FWRL-IPv6 permit 20
!
route-map SW3-YX-IPv6 permit 10
match ipv6 address prefix-list SW3-YX-IPv6
set as-path prepend 65000
set ipv6 next-hop 2001:10:4:1::1
!
route-map SW3-YX-IPv6 permit 20
!
router bgp 65003
neighbor 10.4.1.1 route-map SW1-SW2-FWRL-IPv4 in
neighbor 10.4.1.1 route-map SW3-FWRL-IPv4 out
neighbor 10.4.2.1 route-map SW1-SW2-YX-IPv4 in
neighbor 10.4.2.1 route-map SW3-YX-IPv4 out
address-family ipv6 unicast
neighbor 2001:10:4:1::1 route-map SW1-SW2-FWRL-IPv6 in
neighbor 2001:10:4:1::1 route-map SW3-FWRL-IPv6 out
neighbor 2001:10:4:2::1 route-map SW1-SW2-YX-IPv6 in
neighbor 2001:10:4:2::1 route-map SW3-YX-IPv6 out
exit-address-family
!
9.利用 BGP MPLS VPN 技术,RT1 与 RT2 以太链路间运行多协议标签交换、标签分发协议。RT1 与 RT2 间创建财务 VPN 实例,名称为 Finance,RT1 的 RD 值为 1:1,export rt 值为 1:2,import rt 值为 2:1;RT2的 RD 值为 2:2。通过两端 Loopback1 建立 VPN 邻居,分别实现两端Loopback5 IPv4 互通和 IPv6 互通。
RT1
ipv6 unicast-routing
ipv6 vrf Finance
rd 1:1
route-target import 2:1
route-target export 1:2
!
!
!
mpls ip
mpls ldp router-id 10.4.5.1
!
!
ip vrf Finance
rd 1:1
route-target export 1:2
route-target import 2:1
!
interface Loopback1
ipv6 enable
mpls ip encapsulate
!
interface Loopback5
ip vrf forwarding Finance
ip address 10.4.5.5 255.255.255.255
ipv6 enable
ipv6 address 2001:10:4:5::5/128
ipv6 vrf forwarding Finance
mpls ip encapsulate
!
interface GigaEthernet0/0
ipv6 enable
mpls ip
mpls ip encapsulate
mpls ldp enable
!
router bgp 65001
address-family vpnv4
neighbor 10.4.6.1 activate
neighbor 10.4.6.1 send-community extended
exit-address-family
address-family vpnv6
neighbor 2001:10:4:6::1 activate
neighbor 2001:10:4:6::1 send-community extended
exit-address-family
address-family ipv4 vrf Finance
no synchronization
network 10.4.5.5/32
exit-address-family
address-family ipv6 vrf Finance
no synchronization
network 2001:10:4:5::5/128
exit-address-family
!
RT2
ipv6 unicast-routing
ipv6 vrf Finance
rd 2:2
route-target import 1:2
route-target export 2:1
!
!
!
mpls ip
mpls ldp router-id 10.4.6.1
!
!
ip vrf Finance
rd 2:2
route-target export 2:1
route-target import 1:2
!
interface Loopback1
ipv6 enable
mpls ip encapsulate
!
interface Loopback5
ip vrf forwarding Finance
ip address 10.4.6.5 255.255.255.255
ipv6 enable
ipv6 address 2001:10:4:6::5/128
ipv6 vrf forwarding Finance
mpls ip encapsulate
!
interface GigaEthernet0/0
ipv6 enable
mpls ip
mpls ip encapsulate
mpls ldp enable
!
router bgp 65002
address-family vpnv4
neighbor 10.4.5.1 activate
neighbor 10.4.5.1 send-community extended
exit-address-family
address-family vpnv6
neighbor 2001:10:4:5::1 activate
neighbor 2001:10:4:5::1 send-community extended
exit-address-family
address-family ipv4 vrf Finance
no synchronization
network 10.4.6.5/32
exit-address-family
address-family ipv6 vrf Finance
no synchronization
network 2001:10:4:6::5/128
exit-address-family
!
10.RT2 配置 IPv4 NAT,ACL 名称为 ACL-NAT,实现 AC1 IPv4 产品用RT2 外网接口 IPv4 地址访问 Internet。RT2 配置 NAT64,ACL 名称为ACL-NAT64,实现 AC1 IPv6 产品用 RT2 外网接口 IPv4 地址访问Internet,IPv4 地址转 IPv6 地址前缀为 64:ff9b::/96。
RT2
interface GigaEthernet0/1
ip nat inside
!
interface GigaEthernet0/2
ip nat outside
!
ip access-list standard ACL-NAT
permit 10.4.140.1 255.255.255.255 sequence 10
!
ipv6 access-list ACL-NAT64
permit ipv6 2001:10:4:140::/64 any sequence 10
!
ip nat inside source list ACL-NAT interface GigaEthernet0/2
!
ipv6 nat v6v4 source list ACL-NAT64 interface GigaEthernet0/2
ipv6 nat prefix 64:FF9B::/96 v4-mapped ACL-NAT64
!
(四)无线部署
1.AC1 与 AP1 相 连 接 口 只 允许 Vlan140 和 Vlan150 通过 。 AC1Loopback1 IPv4 和 IPv6 地址分别作为 AC1 的 IPv4 和 IPv6 管理地址。AP 二层自动注册,AP 采用 MAC 地址认证。配置 2 个 ssid,分别为 SKILLS-2.4G 和 SKILLS-5G。SKILLS-2.4G 对应 Vlan140,用 Network140 和 radio1(profile 1, mode n-only-g),用户接入无线网络时需要采用基于 WPA-personal 加密方式,密码为 Key-1122,用第一个可用 VAP 发送 2.4G 信号。SKILLS-5G 对应 Vlan150,用 Network 150和 radio2(profile 1, mode n-only-a),不需要认证,隐藏 ssid,SKILLS-5G 用倒数第一个可用 VAP 发送 5G 信号。
AC1
service dhcp
!
ip forward-protocol udp bootps
!
!
!
!
!
service dhcpv6
!
interface Vlan130
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ip helper-address 10.4.2.1
ipv6 dhcp relay destination 2001:10:4:2::1
!
interface Vlan140
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ip helper-address 10.4.2.1
ipv6 dhcp relay destination 2001:10:4:2::1
!
interface Vlan150
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ip helper-address 10.4.2.1
ipv6 dhcp relay destination 2001:10:4:2::1
!
no login
wireless
ap authentication mac
discovery ip-list 10.4.130.1
discovery ipv6-list 2001:10:4:130::1
discovery vlan-list 130
discovery vlan-list 1309
static-ip 10.4.4.1
static-ipv6 2001:10:4:4::1
network 1
device-finger enable
!
network 2
!
network 3
!
network 4
!
network 5
!
network 6
!
network 7
!
network 8
!
network 9
!
network 10
!
network 11
!
network 12
!
network 13
!
network 14
!
network 15
!
network 16
!
network 140
security mode wpa-personal
ssid SKILLS-2.4G
wpa key encrypted 02ee7ad3f247f1845d18a798ec17abd797a22f75a0f6cb5e2c2804706125ef61c2140fd7205150769d49a0b7b9f374be1975498ce48aa688ad20960fef0af8ba 這裏顯示的是加密後的密鑰
!
network 150
hide-ssid
security mode wpa-personal
ssid SKILLS-5G
wpa key encrypted 02ee7ad3f247f1845d18a798ec17abd797a22f75a0f6cb5e2c2804706125ef61638f74dd55fd7f488a91c44652e1488e8a05bf91c1e6b02e805411e69bbbb31d
!
ap load-balance template 1
!
ap air-match template 1
air-match load-balance session
air-match load-balance session 2
!
ap profile 1
channel-plan an time 05:00
channel-plan bgn time 05:00
air-match template 1
radio 1
mode n-only-g
vap 0
network 140
!
!
radio 2
mode n-only-a
vap 0
!
vap 15
enable
network 150
!
!
radio 3
vap 0
!
!
!
ap database 00-03-0f-d9-cd-c0
!
(五)安全维护
1.FW1 配置 IPv4 NAT,id 为 1,实现集团产品 1 段 IPv4 访问 InternetIPv4,转换 ip/mask 为 200.200.200.16/28,保证每一个源 ip 产生的所有会话将被映射到同一个固定的 IP 地址。
2.FW1 配置 NAT64,id 为 2,实现集团产品 1 段 IPv6 访问 InternetIPv4,转换为出接口 IP,IPv4 转 IPv6 地址前缀为 64:ff9b::/96。3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许 集团产品 1 段 IPv4 和IPv6 访问 Internet 任意服务。
### 3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许 集团产品 1 段 IPv4 和IPv6 访问 Internet 任意服务。<-防火墻默認動作為拒絕->
4.FW2 允许办事处产品 IPv4 访问集团产品 1 段 https 服务,允许集团产品 1 段和产品 2 段访问 SW3 模拟办事处 Loopback2 IPv4、FW2Loopback1 IPv4、办事处产品 IPv4。
5.FW1 与 RT2 之间用 Internet 互联地址建立 GRE Over IPSec VPN,实现 Loopback4 之间的加密访问。RT2 的 ACL 名称为 ACL-VPN,transform-set 名称为 SET-1,crypto map 名称为 MAP-1。FW1 的isakmp proposal 名称为 P-1,isakmp peer 名称为 PEER-1,ipsecproposal 名称为 P-2,tunnel ipsec 名称为 IPSEC-1,tunnel gre 名称为 GRE-1。
SW3 Internet
ip route vrf Internet 0.0.0.0/0 200.200.200.2
ip route vrf Internet 0.0.0.0/0 200.200.200.5
!
RT2
ip route default 200.200.200.5
!
ip access-list extended ACL-VPN
permit gre 200.200.200.6 255.255.255.252 200.200.200.2 255.255.255.252 sequence 10
!
interface Tunnel4
ip address 10.4.255.50 255.255.255.252
tunnel source 200.200.200.6
tunnel destination 200.200.200.2
!
crypto isakmp key 0 Key-1122 address 200.200.200.2 255.255.255.252
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
lifetime 4000
!
crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac
mode transport
!
crypto map MAP-1 10 ipsec-isakmp
match address ACL-VPN
set peer 200.200.200.2
set transform-set SET-1
!
interface GigaEthernet0/2
ipv6 enable
crypto map MAP-1
!
ip route 10.4.7.4 255.255.255.255 Tunnel4
!
FW2
FW1
tunnel gre "GRE-1"
source 200.200.200.2
destination 200.200.200.6
interface ethernet0/3
next-tunnel ipsec IPSEC-1
exit
interface tunnel4
zone "VPNHub"
ip address 10.4.255.49 255.255.255.252
manage ping
tunnel gre "GRE-1" gw 10.4.255.50
exit
ip vrouter "trust-vr"
ip route 0.0.0.0/0 200.200.200.1
ip route 10.4.6.4/32 10.4.255.50
exit
