20201209 cisco VRF & OSPF

課堂資料

Virtual routing and forwardingWikipedia

https://kknews.cc/zh-tw/code/4j9pp6q.htmlkknews.cc

NAT 網路位址轉換 - Jan Ho 的網絡世界Jan Ho 的網絡世界

Virtual Routing and Forwarding

Virtual Routing and Forwarding(VRF)：虛擬路由和轉發，為第三層的網路虛擬化。

課堂練習

VRF

R1 ( Blue 01 )

int e0/0

ip add 192.168.1.1 255.255.255.0

no shut

exit

R2 ( Red 01 )

int e0/0

ip add 192.168.2.1 255.255.255.0

no shut

exit

R3 ( Blue 02 )

int e0/0

ip add 192.168.3.1 255.255.255.0

no shut

exit

R4 ( Red 02 )

int e0/0

ip add 192.168.4.1 255.255.255.0

no shut

exit

R5 ( ISP )

創建這些 VRF

ip vrf Blue

exit

ip vrf Red

exit

使用ip vrf forwarding命令將接口分配給正確的 VRF

int e0/0

ip vrf forwarding Blue

ip add 192.168.1.2 255.255.255.0

no shut

int e0/1

ip vrf forwarding Red

ip add 192.168.2.2 255.255.255.0

no shut

int e0/2

ip vrf forwarding Blue

ip add 192.168.3.2 255.255.255.0

no shut

int e0/3

ip vrf forwarding Red

ip add 192.168.4.2 255.255.255.0

no shut

看看 ISP 路由器的全局路由表

do sh ip ro connected

檢查 VRF 路由表

do sh ip ro vrf Blue

do sh ip ro vrf Red

do ping vrf Blue 192.168.1.1

配置靜態路由，則必須指定正確的 VRF。

R Blue 01有一個 IP 位址為 1.1.1.1 / 32 的環回接口。

我們在 ISP 路由器上創建一個靜態路由，以便我們可以訪問它

exit

ip route vrf Blue 1.1.1.1 255.255.255.255 192.168.1.1

do ping vrf Blue 1.1.1.1

ip route vrf Red 2.2.2.2 255.255.255.255 192.168.2.1

do ping vrf Red 2.2.2.2

ip route vrf Blue 3.3.3.3 255.255.255.255 192.168.3.1

do ping vrf Blue 3.3.3.3

ip route vrf Red 4.4.4.4 255.255.255.255 192.168.4.1

do ping vrf Red 4.4.4.4

do sh ip ro vrf Upper

OSPF

R1 ( Blue 01 )

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 1.1.1.1 0.0.0.0 area 0

R2 ( Red 01 )

router ospf 1

network 192.168.2.0 0.0.0.255 area 0

network 2.2.2.2 0.0.0.0 area 0

R3 ( Blue 02 )

router ospf 1

network 192.168.3.0 0.0.0.255 area 0

network 3.3.3.3 0.0.0.0 area 0

R4 ( Red 02 )

router ospf 1

network 192.168.4.0 0.0.0.255 area 0

network 4.4.4.4 0.0.0.0 area 0

R5 ( ISP )

Blue

router ospf 1 vrf Blue

network 192.168.1.0 0.0.0.255 area 0

network 192.168.3.0 0.0.0.255 area 0

Red

router ospf 2 vrf Red

network 192.168.2.0 0.0.0.255 area 0

network 192.168.4.0 0.0.0.255 area 0

ISP 路由器上的 VRF 路由表現在的樣子

do sh ip ro vrf Blue ospf

do sh ip ro vrf Red ospf

• Dynamic NAT ( DAT )：Many to Many Mopping

• Port NAT ( PAT ) ：Many to 1

• Static NAT：1 to 1

Part 01.

R1

int e0/0

ip add 12.1.1.1 255.255.255.0

no shut

int lo1

ip add 192.168.1.1 255.255.255.0

no shut

int lo2

ip add 192.168.2.1 255.255.255.0

no shut

exit

ip route 0.0.0.0 0.0.0.0 12.1.1.2

do ping 12.1.1.2

do ping 23.1.1.3

do ping 23.1.1.3 source 192.168.1.1

do ping 23.1.1.3 source 192.168.2.1

ping 3.3.3.3 source 192.168.1.1

R2

int e0/0

ip add 12.1.1.2 255.255.255.0

no shut

int e0/1

ip add 23.1.1.2 255.255.255.0

no shut

exit

ip route 192.168.1.0 255.255.255.0 12.1.1.1

ip route 192.168.2.0 255.255.255.0 12.1.1.1

ip route 0.0.0.0 0.0.0.0 23.1.1.3

do ping 23.1.1.3

do ping 3.3.3.3

do ping 8.8.8.8

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.2.0 0.0.0.255

ip nat pool DNAT 23.1.1.100 23.1.1.200 netmask 255.255.255.0

int e0/0

ip nat inside

int e0/1

ip nat outside

exit

ip nat inside source list 1 pool DNAT

ip nat inside source list 2 pool DNAT

exit

sh ip nat translations

sh ip nat statistics

conf t

no ip nat inside source list 1 pool DNAT

no ip nat inside source list 2 pool DNAT

ip nat pool PAT 23.1.1.2 23.1.1.2 netmask 255.255.255.0

ip nat inside source list 1 pool DNAT overload

ip nat inside source list 2 pool DNAT overload

exit

debug ip nat

R3

int e0/0

ip add 23.1.1.3 255.255.255.0

no shut

int lo1

ip add 3.3.3.3 255.255.255.255

no shut

int lo2

ip add 8.8.8.8 255.255.255.255

no shut

exit

do sh ip ro

conf t

line vty 0 4

password cisco

login

transport input telnet

Part 02.

Linux

ifconfig eth0 192.168.3.2/24

ip addr add 192.168.3.2/24 brd + dev eth0

ip route add default via 192.168.3.1

ping 192.168.3.1

ping 12.1.1.1

ping 12.1.1.2

ping 23.1.1.2

ip route add default 192.168.3.2/24 brd + dev eth0

wireshark

telnet 23.1.1.3

R1

conf t

int e0/1

ip add 192.168.3.1 255.255.255.0

no shut

R2

conf t

ip route 192.168.3.0 255.255.255.0 12.1.1.1

access-list 3 permit 192.168.3.0 0.0.0.255

ip nat inside source list 3 pool DNAT overload

R3

Part 03.

R1

int e0/0

ip add 12.1.1.1 255.255.255.0

no shut

exit

ip route 0.0.0.0 0.0.0.0 12.1.1.2

line vty 0 4

password cisco

login

transport input telnet

R2

int e0/0

ip add 12.1.1.2 255.255.255.0

no shut

int e0/1

ip add 23.1.1.2 255.255.255.0

no shut

exit

ip route 0.0.0.0 0.0.0.0 23.1.1.3

telnet 12.1.1.1

exit

int e0/0

ip nat inside

int e0/1

ip nat outside

exit

ip nat inside source static 12.1.1.1 23.1.1.10

do sh ip nat translations

R3

int e0/0

ip add 23.1.1.3 255.255.255.0

no shut

exit

do ping 23.1.1.2

telnet 23.1.1.10