> For the complete documentation index, see [llms.txt](https://anida-huang.gitbook.io/computer-network/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://anida-huang.gitbook.io/computer-network/qi-mo/2020106-qi-mo-zhou.md). # 20210106 cisco GRE ## 課堂資料 {% embed url="" %} {% embed url="" %} {% embed url="" %} ## 課堂練習 ### GRE ![](/files/-MQKUyqUBStrg2tfR-Z6) #### Hub-to-spoke Topology {% tabs %} {% tab title="R1" %} ``` int lo 0 ``` ``` ip add 192.168.1.1 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 10.0.14.1 255.255.255.0 ``` ``` no shut ``` ``` router rip ``` ``` ver 2 ``` ``` no auto-summary ``` ``` net 10.0.14.0 ``` ``` net 172.16.0.0 ``` ``` net 192.168.0.0 ``` > #### R1 與 R2 建立 Tunnel ``` int tunnel 12 ``` ``` ip add 172.16.12.1 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 10.0.24.2 ``` > #### R1 與 R3 建立 Tunnel ``` int tunnel 13 ``` ``` ip add 172.16.13.1 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 10.0.34.3 ``` ![](/files/-MQK_or7kQJ_pgrV-qN0) > #### R1 Ping R2 / R3 進行 Tunnel 連線測試 ``` do ping 172.16.12.2 source 172.16.12.1 ``` ``` do ping 172.16.13.3 source 172.16.12.1 ``` ![](/files/-MQKol_cUIjpcUPhRG_S) {% endtab %} {% tab title="R2" %} ``` int lo 0 ``` ``` ip add 192.168.2.2 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 10.0.24.2 255.255.255.0 ``` ``` no shut ``` ``` router rip ``` ``` ver 2 ``` ``` no auto-summary ``` ``` net 10.0.24.0 ``` ``` net 172.16.0.0 ``` > #### R1 與 R2 建立 Tunnel ``` int tunnel 12 ``` ``` ip add 172.16.12.2 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 10.0.14.1 ``` ![](/files/-MQKaRqZ3_8ZOEQytf6I) > #### R1 Ping R2 / R3 進行 Tunnel 連線測試 ``` do ping 172.16.13.3 source 172.16.12.2 ``` ``` exit ``` ``` exit ``` ``` traceroute 172.16.13.3 source 172.16.12.2 ``` ![](/files/-MQR8cCwUvte4EaqS4xU) {% endtab %} {% tab title="R3" %} ``` int lo 0 ``` ``` ip add 192.168.3.3 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 10.0.34.3 255.255.255.0 ``` ``` no shut ``` ``` router rip ``` ``` ver 2 ``` ``` no auto-summary ``` ``` net 10.0.34.0 ``` ``` net 172.16.0.0 ``` > #### R1 與 R3 建立 Tunnel ``` int tunnel 13 ``` ``` ip add 172.16.13.3 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 10.0.14.1 ``` ![](/files/-MQKawevM18EDPRzA0jl) {% endtab %} {% tab title="R4" %} ``` int e0/0 ``` ``` ip add 10.0.14.4 255.255.255.0 ``` ``` no shut ``` ``` int e0/1 ``` ``` ip add 10.0.24.4 255.255.255.0 ``` ``` no shut ``` ``` int e0/2 ``` ``` ip add 10.0.34.4 255.255.255.0 ``` ``` no shut ``` ``` router rip ``` ``` ver 2 ``` ``` no auto-summary ``` ``` net 10.0.14.0 ``` ``` net 10.0.24.0 ``` ``` net 10.0.34.0 ``` ``` net 172.16.0.0 ``` ![](/files/-MQKdUf-auiyjfuhGuW7) {% endtab %} {% endtabs %} #### Routing Protocol {% tabs %} {% tab title="R1" %} ``` router eigrp 1 ``` ``` net 172.16.12.0 0.0.0.255 ``` ``` net 172.16.13.0 0.0.0.255 ``` ``` net 192.168.1.0 ``` ``` no auto-summary ``` ![](/files/-MQKktzhZNUG3_56vO5w) ``` do sh ip ro eigrp 1 ``` ``` do ping 192.168.2.2 source 192.168.1.1 ``` ``` do ping 192.168.3.3 source 192.168.1.1 ``` ![](/files/-MQKpZ-IiPf__1yXk43J) {% endtab %} {% tab title="R2" %} ``` conf t ``` ``` router eigrp 1 ``` ``` net 172.16.12.0 0.0.0.255 ``` ``` net 192.168.2.0 ``` ``` no auto-summary ``` ![](/files/-MQKlAf5VgueL6i83QGs) ``` do sh ip ro eigrp 1 ``` ![](/files/-MQKqDx3PjckQAqOHaTE) ``` exit ``` ``` exit ``` ``` traceroute 172.16.13.3 source 172.16.12.2 ``` ![](/files/-MQR9jMUmev_oxiyEcua) {% endtab %} {% tab title="R3" %} ``` router eigrp 1 ``` ``` net 172.16.13.0 0.0.0.255 ``` ``` net 192.168.3.0 ``` ``` no auto-summary ``` ![](/files/-MQKlQ9dNiC7Hu71OrBK) {% endtab %} {% endtabs %} #### IPSec over GRE Tunnel {% tabs %} {% tab title="R1" %} ``` crypto isakmp policy 10 ``` ``` authentication pre-share ``` ``` crypto ipsec transform-set TS esp-3des ah-sha-hmac ``` ``` exit ``` ``` crypto isakmp key ccie add 10.0.24.2 ``` ``` crypto isakmp key ccie add 10.0.34.3 ``` ``` crypto ipsec profile PF ``` ``` set transform-set TS ``` ``` int tunnel 12 ``` ``` tunnel protection ipsec PRofile PF ``` ![](/files/-MQRAYBd79f1uFax-UJ_) {% endtab %} {% tab title="R2" %} ``` conf t ``` ``` crypto isakmp policy 10 ``` ``` authentication pre-share ``` ``` crypto ipsec transform-set TS esp-3des ah-sha-hmac ``` ``` exit ``` ``` crypto isakmp key ccie add 10.0.12.1 ``` ``` crypto isakmp key ccie add 10.0.34.3 ``` ``` crypto ipsec profile PF ``` ``` set transform-set TS ``` ``` int tunnel 12 ``` ``` tunnel protection ipsec PRofile PF ``` ![](/files/-MQRAwKkD4A7QTblYeMU) {% endtab %} {% tab title="R3" %} ``` exit ``` ``` crypto isakmp policy 10 ``` ``` authentication pre-share ``` ``` crypto ipsec transform-set TS esp-3des ah-sha-hmac ``` ``` exit ``` ``` crypto isakmp key ccie add 10.0.12.1 ``` ``` crypto isakmp key ccie add 10.0.24.2 ``` ``` crypto ipsec profile PF ``` ``` set transform-set TS ``` ``` int tunnel 12 ``` ``` tunnel protection ipsec PRofile PF ``` ![](/files/-MQRBK7HZq_y3RZmOy-7) {% endtab %} {% tab title="R4" %} ![](/files/-MQRCA-puQivHqw5N6sQ) {% endtab %} {% endtabs %} ### IPsec ![](/files/-MQS7wYZHgN5DiHh2IGw) #### 設定 {% tabs %} {% tab title="R1" %} ``` int e0/0 ``` ``` ip add 192.168.13.1 255.255.255.0 ``` ``` no shut ``` ``` int e0/1 ``` ``` ip add 192.168.10.1 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ``` ip route 0.0.0.0 0.0.0.0 192.168.13.3 ``` ![](/files/-MQSABgd-wnCqBFKWSBx) ``` do ping 192.168.23.2 ``` ``` do ping 192.168.20.1 ``` ![](/files/-MQSAzfNPwAMI18MVyPy) {% endtab %} {% tab title="R2" %} ``` int e0/0 ``` ``` ip add 192.168.23.2 255.255.255.0 ``` ``` no shut ``` ``` int e0/1 ``` ``` ip add 192.168.20.1 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ``` ip route 0.0.0.0 0.0.0.0 192.168.23.3 ``` {% endtab %} {% tab title="R3" %} ``` int e0/0 ``` ``` ip add 192.168.13.3 255.255.255.0 ``` ``` no shut ``` ``` int e0/1 ``` ``` ip add 192.168.23.3 255.255.255.0 ``` ``` no shut ``` ``` exit ``` {% endtab %} {% endtabs %} #### 設定 Interesting Traffic {% tabs %} {% tab title="R1" %} ``` ip access-list extended VPN-Traffic ``` ``` Permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 ``` ``` exit ``` ![](/files/-MQRHzVsArkbXD6BEurq) {% endtab %} {% tab title="R2" %} ``` ip access-list extended VPN-Traffic ``` ``` Permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 ``` ``` exit ``` ![](/files/-MQRI95Dt1UnUJ1zu2Yz) {% endtab %} {% endtabs %} #### 設定 IKE Phase 1 參數 {% tabs %} {% tab title="R1" %} ``` crypto isakmp policy 1 ``` ``` encryption aes ``` ``` hash md5 ``` ``` authentication pre-share ``` ``` group 2 ``` ``` lifetime 30000 ``` ![](/files/-MQRIOdRaobxLBY0fIzQ) {% endtab %} {% tab title="R2" %} ``` crypto isakmp policy 1 ``` ``` encryption aes ``` ``` hash md5 ``` ``` authentication pre-share ``` ``` group 2 ``` ``` lifetime 30000 ``` ![](/files/-MQRIZwK2EVfYUQoeI_u) {% endtab %} {% endtabs %} #### 設定 IKE Phase 2參數 {% tabs %} {% tab title="R1" %} ``` exit ``` ``` crypto ipsec transform-set TS esp-3des ah-sha-hmac ``` ![](/files/-MQRIsCjB8ltZsYLmHkh) {% endtab %} {% tab title="R2" %} ``` exit ``` ``` crypto ipsec transform-set TS esp-3des ah-sha-hmac ``` ![](/files/-MQRIySw-1KpVx0wEbNa) {% endtab %} {% endtabs %} #### 設定 Pre-share Key {% tabs %} {% tab title="R1" %} ``` crypto isakmp key 6 ccie add 192.168.23.2 ``` ![](/files/-MQRJ5WPCG35dMrrbZ-e) {% endtab %} {% tab title="R2" %} ``` crypto isakmp key 6 ccie add 192.168.13.1 ``` ![](/files/-MQRJYvyNicGiRt7lxKv) {% endtab %} {% endtabs %} #### 定義 Crypto Map {% tabs %} {% tab title="R1" %} ``` crypto map CMAP 1 ipsec-isakmp ``` ``` set peer 192.168.23.2 ``` ``` set transform-set TS ``` ``` match add VPN-Traffic ``` ``` int e0/0 ``` ``` crypto map CMAP ``` ![](/files/-MQRJmvlRWOnKCSPUKtA) {% endtab %} {% tab title="R2" %} ``` crypto map CMAP 1 ipsec-isakmp ``` ``` set peer 192.168.13.1 ``` ``` set transform-set TS ``` ``` match add VPN-Traffic ``` ``` int e0/0 ``` ``` crypto map CMAP ``` ![](/files/-MQRK22JT1Voh_Q_l_35) {% endtab %} {% endtabs %} #### 測試 {% tabs %} {% tab title="R1" %} ``` do ping 192.168.20.1 source 192.168.10.1 ``` ![](/files/-MQSB8Pb0WI4YncD9buw) {% endtab %} {% endtabs %} ### GRE over IPsec vs IPSec over GRE #### GRE over IPsec設定 ![](/files/-MQNHVO275_LBTxqc8Ec) {% tabs %} {% tab title="R1" %} > #### 網路設定 ``` int lo 0 ``` ``` ip add 1.1.1.1 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 192.168.13.1 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ``` ip route 192.168.23.0 255.255.255.0 192.168.13.3 ``` ![](/files/-MQYEYXjGgmDxcTOEQNN) ``` do ping 192.168.23.2 source 192.168.13.1 ``` ``` do ping 2.2.2.2 source 1.1.1.1 ``` ![](/files/-MQYELjO6Yxb3f_re8L7) > #### 設定 Interesting Traffic ``` ip access-list extended IPSEC_TUNNEL ``` ``` Permit ip host 192.168.13.1 host 192.168.23.2 ``` > #### 設定 IPSec ``` crypto isakmp key ccie add 192.168.23.2 ``` ``` crypto isakmp policy 10 ``` ``` encryption aes ``` ``` authentication pre-share ``` ``` group 2 ``` ``` exit ``` ``` crypto ipsec transform-set TS esp-3des ``` ``` exit ``` ``` crypto map GRE_OVER_IPSEC 10 ipsec-isakmp ``` ``` set peer 192.168.23.2 ``` ``` set transform-set TS ``` ``` match add IPSEC_TUNNEL ``` > #### 在 Interface 應用Crypto Map ``` int e0/0 ``` ``` crypto map GRE_OVER_IPSEC ``` > #### 設定 GRE Tunnel ``` int tunnel 0 ``` ``` ip add 172.16.12.1 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 192.168.23.2 ``` ![](/files/-MQYF-IVIebhVKMWXYuG) > #### 測試 ``` do ping 172.16.12.2 source 172.16.12.1 ``` ``` do sh crypto ipsec sa ``` ![](/files/-MQYGBhmXdFaTY1P6XT-) > #### 設定 Routing Protocol ``` router eigrp 1 ``` ``` no auto-summary ``` ``` net 172.16.12.0 0.0.0.255 ``` ``` net 1.1.1.0 0.0.0.255 ``` > #### 查看 Neighbor ``` do sh ip eigrp nei ``` ``` do ping 2.2.2.2 source 1.1.1.1 ``` ![](/files/-MQYGVU8f6s1Fscre1df) {% endtab %} {% tab title="R2" %} > #### 網路設定 ``` int lo 0 ``` ``` ip add 2.2.2.2 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 192.168.23.2 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ``` ip route 192.168.13.0 255.255.255.0 192.168.23.3 ``` ![](/files/-MQYFJRgnJUNyDXhU5n9) > #### 設定 Interesting Traffic ``` ip access-list extended IPSEC_TUNNEL ``` ``` Permit ip host 192.168.23.2 host 192.168.13.1 ``` > #### 設定 IPSec ``` crypto isakmp key ccie add 192.168.13.1 ``` ``` crypto isakmp policy 10 ``` ``` encryption aes ``` ``` authentication pre-share ``` ``` group 2 ``` ``` exit ``` ``` crypto ipsec transform-set TS esp-3des ``` ``` exit ``` ``` crypto map GRE_OVER_IPSEC 10 ipsec-isakmp ``` ``` set peer 192.168.13.1 ``` ``` set transform-set TS ``` ``` match add IPSEC_TUNNEL ``` > #### 在 Interface 應用Crypto Map ``` int e0/0 ``` ``` crypto map GRE_OVER_IPSEC ``` > #### 設定 GRE Tunnel ``` int tunnel 0 ``` ``` ip add 172.16.12.2 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 192.168.13.1 ``` > #### 設定 Routing Protocol ``` router eigrp 1 ``` ``` no auto-summary ``` ``` net 172.16.12.0 0.0.0.255 ``` ``` net 2.2.2.0 0.0.0.255 ``` ![](/files/-MQYFr37ykOS9MkTTLtp) {% endtab %} {% tab title="R3" %} > #### 網路設定 ``` int e0/0 ``` ``` ip add 192.168.13.3 255.255.255.0 ``` ``` no shut ``` ``` int e0/1 ``` ``` ip add 192.168.23.3 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ![](/files/-MQNU7Mi7JOTDqP7HfVO) {% endtab %} {% endtabs %} #### IPSec over GRE 設定 ![](/files/-MQYMIzBiyDvi5pVKkyW) {% tabs %} {% tab title="R4" %} > #### 網路設定 ``` int lo 0 ``` ``` ip add 1.1.1.1 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 192.168.13.1 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ``` ip route 192.168.23.0 255.255.255.0 192.168.13.3 ``` > #### 設定 GRE Tunnel ``` int tunnel 0 ``` ``` ip add 172.16.12.1 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 192.168.23.2 ``` ![](/files/-MQYIGrYyyLQEj9bBVBz) > #### 測試 ``` do ping 172.16.12.2 source 172.16.12.1 ``` ![](/files/-MQYM_RP8yYcxql6Ydx_) > #### 設定 Routing Protocol ``` router eigrp 1 ``` ``` no auto-summary ``` ``` net 172.16.12.0 0.0.0.255 ``` ``` net 1.1.1.0 0.0.0.255 ``` > #### 測試 ``` do sh ip eigrp nei ``` ![](/files/-MQYN3CY6QZHKdWFE19N) ``` do ping 2.2.2.2 source 1.1.1.1 ``` ![](/files/-MQYQTF3suxPr3JK_6_y) > #### 設定 Interesting Traffic ``` ip access-list extended IPSEC_TUNNEL ``` ``` Permit ip host 1.1.1.1 host 2.2.2.2 ``` > #### 設定 IPSec ``` crypto isakmp key ccie add 172.16.12.2 ``` ``` crypto isakmp policy 10 ``` ``` encryption aes ``` ``` authentication pre-share ``` ``` group 2 ``` ``` exit ``` ``` crypto ipsec transform-set TS esp-3des ``` ``` exit ``` ``` crypto map IPSEC_OVER_GRE 10 ipsec-isakmp ``` ``` set peer 172.16.12.2 ``` ``` set transform-set TS ``` ``` match add IPSEC_TUNNEL ``` > #### 在 Tunnel Interface 應用 Crypto Map ``` int tunnel 0 ``` ``` crypto map IPSEC_OVER_GRE ``` ![](/files/-MQYNdlD2Uk9FAvaBGM2) > #### 測試 ``` do ping 2.2.2.2 source 1.1.1.1 ``` ``` do sh crypto ipsec sa ``` ![](/files/-MQYQi7Bz03Iks3yLyJX) {% endtab %} {% tab title="R5" %} > #### 網路設定 ``` int lo 0 ``` ``` ip add 2.2.2.2 255.255.255.0 ``` ``` no shut ``` ``` int e0/0 ``` ``` ip add 192.168.23.2 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ``` ip route 192.168.13.0 255.255.255.0 192.168.23.3 ``` > #### 設定 GRE Tunnel ``` int tunnel 0 ``` ``` ip add 172.16.12.2 255.255.255.0 ``` ``` tunnel source e0/0 ``` ``` tunnel destination 192.168.13.1 ``` ![](/files/-MQYHyLLDMzUC24sK19Q) > #### 設定 Routing Protocol ``` router eigrp 1 ``` ``` no auto-summary ``` ``` net 172.16.12.0 0.0.0.255 ``` ``` net 2.2.2.0 0.0.0.255 ``` > #### 設定 Interesting Traffic ``` ip access-list extended IPSEC_TUNNEL ``` ``` Permit ip host 2.2.2.2 host 1.1.1.1 ``` > #### 設定 IPSec ``` crypto isakmp key ccie add 172.16.12.1 ``` ``` crypto isakmp policy 10 ``` ``` encryption aes ``` ``` authentication pre-share ``` ``` group 2 ``` ``` exit ``` ``` crypto ipsec transform-set TS esp-3des ``` ``` exit ``` ``` crypto map IPSEC_OVER_GRE 10 ipsec-isakmp ``` ``` set peer 172.16.12.1 ``` ``` set transform-set TS ``` ``` match add IPSEC_TUNNEL ``` > #### 在 Tunnel Interface 應用 Crypto Map ``` int tunnel 0 ``` ``` crypto map IPSEC_OVER_GRE ``` ![](/files/-MQYR7v7_cR0ww1O8p8E) {% endtab %} {% tab title="R6" %} > #### 網路設定 ``` int e0/0 ``` ``` ip add 192.168.13.3 255.255.255.0 ``` ``` no shut ``` ``` int e0/1 ``` ``` ip add 192.168.23.3 255.255.255.0 ``` ``` no shut ``` ``` exit ``` ![](/files/-MQYHkJqqQEVP9XPVyz_) {% endtab %} {% endtabs %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://anida-huang.gitbook.io/computer-network/qi-mo/2020106-qi-mo-zhou.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.