Recently I deployed a company's enterprise intranet, so I set up a test environment to share the test results with you.
I. Purpose:
Xxx enterprises include Beijing Corporation, Shanghai Branch and Shenzhen Branch. The company uses the NAT address translation technology to access the public network and requires that enterprises distributed across the country can also communicate with each other over the Intranet.
Ii. Experiment Topology:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0R22T324-0.jpg "/>
Iii. Experiment Configuration:
1: Basic Interface Configuration
R1 (config) # int f0/0
R1 (config-if) # ip add 192.168.1.1 255.255.255.0
R1 (config-if) # no sh
R1 (config-if) # int f1/0
R1 (config-if) # ip add 12.0.0.1 255.255.255.0
R1 (config-if) # no sh
R2 (config) # int f1/0
R2 (config-if) # ip add 12.0.0.2 255.255.255.0
R2 (config-if) # no sh
R2 (config-if) # int f0/0
R2 (config-if) # ip add 23.0.0.2 255.255.255.0
R2 (config-if) # no sh
R2 (config-if) # int f2/0
R2 (config-if) # ip add 24.0.0.2 255.255.255.0
R2 (config-if) # no sh
R3 (config) # int f0/0
R3 (config-if) # ip add 23.0.0.3 255.255.255.0
R3 (config-if) # no sh
R3 (config-if) # int f1/0
R3 (config-if) # ip add 192.168.2.1 255.255.255.0
R3 (config-if) # no sh
R4 (config) # int f1/0
R4 (config-if) # ip add 24.0.0.4 255.255.255.0
R4 (config-if) # no sh
R4 (config-if) # int f0/0
R4 (config-if) # ip add 192.168.3.1 255.255.255.0
R4 (config-if) # no sh
2: NAT and route Configuration:
R1 (config) # int f0/0
R1 (config-if) # ip nat inside
R1 (config-if) # int f1/0
R1 (config-if) # ip nat outside
R1 (config) # access-list 101 deny ip 192.168.1.0 0.0.255 192.168.2.0 0.0.255
R1 (config) # access-list 101 deny ip 192.168.1.0 0.0.255 192.168.3.0 0.0.255
R1 (config) # access-list 101 permit ip 192.168.1.0 0.0.255 any
R1 (config) # ip nat inside source list 101 interface f1/0 overload
R1 (config) # ip route 0.0.0.0 0.0.0.0 12.0.0.2
R3 (config) # int f0/0
R3 (config-if) # ip nat outside
R3 (config-if) # int f1/0
R3 (config-if) # ip nat inside
R3 (config) # access-list 101 deny ip 192.168.2.0 0.0.255 192.168.1.0 0.0.255
R3 (config) # access-list 101 deny ip 192.168.2.0 0.0.255 192.168.3.0 0.0.255
R3 (config) # access-list 101 permit ip 192.168.2.0 0.0.255 any
R3 (config) # ip nat inside source list 101 interface f0/0 overload
R3 (config) # ip route 0.0.0.0 0.0.0.0 23.0.0.2
R4 (config) # int f1/0
R4 (config-if) # ip nat outside
R4 (config-if) # int f0/0
R4 (config-if) # ip nat inside
R4 (config-if) # exit
R4 (config) # access-list 101 deny ip 192.168.3.0 0.0.255 192.168.1.0 0.0.255
R4 (config) # access-list 101 deny ip 192.168.3.0 0.0.255 192.168.2.0 0.0.255
R4 (config) # access-list 101 permit ip 192.168.3.0 0.0.255 any
R4 (config) # ip nat inside source list 101 interface f1/0 overload
R4 (config) # ip route 0.0.0.0 0.0.0.0 24.0.0.2
3: VPN configuration:
R1 (config) # ip access-list extended R1-to-R3
R1 (config-ext-nacl) # permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.255
R1 (config-ext-nacl) # permit ip 192.168.3.0 0.0.255 192.168.2.0 0.0.255
R1 (config) # ip access-list extended R1-to-R4
R1 (config-ext-nacl) # permit ip 192.168.1.0 0.0.255 192.168.3.0 0.0.255
R1 (config-ext-nacl) # permit ip 192.168.2.0 0.0.255 192.168.3.0 0.0.255
R1 (config) # crypto isakmp policy 1
R1 (config-isakmp) # authentication pre-share
R1 (config-isakmp) # encryption aes
R1 (config-isakmp) # hash md5
R1 (config-isakmp) # group 2
R1 (config-isakmp) # exit
R1 (config) # crypto isakmp key 6 R1-to-R3 address 23.0.0.3
R1 (config) # crypto isakmp key 6 R1-to-R4 address 24.0.0.4
R1 (config) # crypto ipsec transform-set mytrans esp-aes esp-md5-hmac
R1 (cfg-crypto-trans) # mode tunnel
R1 (cfg-crypto-trans) # exit
R1 (config) # crypto map mymap 1 ipsec-isakmp
R1 (config-crypto-map) # match address R1-to-R3
R1 (config-crypto-map) # set peer 23.0.0.3
R1 (config-crypto-map) # set transform-set mytrans
R1 (config) # crypto map mymap 2 ipsec-isakmp
R1 (config-crypto-map) # match address R1-to-R4
R1 (config-crypto-map) # set peer 24.0.0.4
R1 (config-crypto-map) # set transform-set mytrans
R1 (config-crypto-map) # int f1/0
R1 (config-if) # crypto map mymap
R3 (config) # ip access-list extended R3-to-R1
R3 (config-ext-nacl) # permit ip 192.168.2.0 0.0.255 192.168.1.0 0.0.255
R3 (config-ext-nacl) # permit ip 192.168.2.0 0.0.255 192.168.3.0 0.0.255
R3 (config-ext-nacl) # exit
R3 (config) # crypto isakmp policy 1
R3 (config-isakmp) # authentication pre-share
R3 (config-isakmp) # encryption aes
R3 (config-isakmp) # hash md5
R3 (config-isakmp) # group 2
R3 (config-isakmp) # exit
R3 (config) # crypto isakmp key 6 R1-to-R3 address 12.0.0.1
R3 (config) # crypto ipsec transform-set mytrans esp-aes esp-md5-hmac
R3 (cfg-crypto-trans) # mode tunnel
R3 (cfg-crypto-trans) # exit
R3 (config) # crypto map mymap 1 ipsec-isakmp
R3 (config-crypto-map) # match address R3-to-R1
R3 (config-crypto-map) # set transform-set mytrans
R3 (config-crypto-map) # set peer 12.0.0.1
R3 (config) # int f0/0
R3 (config-if) # crypto map mymap
R4 (config) # ip access-list extended R4-to-R1
R4 (config-ext-nacl) # permit ip 192.168.3.0 0.0.255 192.168.1.0 0.0.255
R4 (config-ext-nacl) # permit ip 192.168.3.0 0.0.255 192.168.2.0 0.0.255
R4 (config-ext-nacl) # exit
R4 (config) # crypto isakmp policy 1
R4 (config-isakmp) # authentication pre-share
R4 (config-isakmp) # encryption aes
R4 (config-isakmp) # hash md5
R4 (config-isakmp) # group 2
R4 (config-isakmp) # exit
R4 (config) # crypto isakmp key 6 R1-to-R4 address 12.0.0.1
R4 (config) # crypto ipsec transform-set mytrans esp-aes esp-md5-hmac
R4 (cfg-crypto-trans) # mode tunnel
R4 (cfg-crypto-trans) # exit
R4 (config) # crypto map mymap 10 ipsec-isakmp
R4 (config-crypto-map) # match address R4-to-R1
R4 (config-crypto-map) # set transform-set mytrans
R4 (config-crypto-map) # set peer 12.0.0.1
R4 (config-crypto-map) # int f1/0
R4 (config-if) # crypto map mymap
4: test:
VPCS 1> sho ip int B
Name ip/CIDR GATEWAY LPORT RPORT
PC1 192.168.1.2/24 192.168.1.1 10001 11100
PC2 192.168.2.2/24 192.168.2.1 10002 11310
PC3 192.168.3.2/24 192.168.3.1 10003 11400
PC4 0.0.0.0/0 0.0.0.0 10004 30003
PC5 0.0.0.0/0 0.0.0.0 10005 30004
PC6 0.0.0.0/0 0.0.0.0 10006 30005
PC7 0.0.0.0/0 0.0.0.0 10007 30006
Pc80.0.0.0/0 0.0.0.0 10008 30007
PC9 0.0.0.0/0 0.0.0.0 10009 30008
VPCS 1> ping 192.168.2.2
192.168.2.2 icmp_seq = 1 time = 188.000 MS
192.168.2.2 icmp_seq = 2 time = 172.000 MS
192.168.2.2 icmp_seq = 3 time = 188.000 MS
192.168.2.2 icmp_seq = 4 time = 188.000 MS
192.168.2.2 icmp_seq = 5 time = 172.000 MS
VPCS 1> ping 192.168.3.2
192.168.3.2 icmp_seq = 1 time = 188.000 MS
192.168.3.2 icmp_seq = 2 time = 172.000 MS
192.168.3.2 icmp_seq = 3 time = 171.000 MS
192.168.3.2 icmp_seq = 4 time = 203.000 MS
192.168.3.2 icmp_seq = 5 time = 172.000 MS
R1 # sho crypto isakmp sa
Dst src state conn-id slot status
24.0.0.4 12.0.0.1 QM_IDLE 2 0 ACTIVE
12.0.0.1 23.0.0.3 QM_IDLE 1 0 ACTIVE
R1 # sho crypto ipsec sa
Interface: FastEthernet1/0
Crypto map tag: mymap, local addr 12.0.0.1
Protected vrf: (none)
Local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
Current_peer 23.0.0.3 port 500
PERMIT, flags = {origin_is_acl ,}
# Pkts encaps: 16, # pkts encrypt: 16, # pkts digest: 16
# Pkts decaps: 16, # pkts decrypt: 16, # pkts verify: 16
# Pkts compressed: 0, # pkts decompressed: 0
# Pkts not compressed: 0, # pkts compr. failed: 0
# Pkts not decompressed: 0, # pkts decompress failed: 0
# Send errors 0, # recv errors 0
Local crypto endpt.: 12.0.0.1, remote crypto endpt.: 23.0.0.3
Path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
Current outbound spi: 0x98B8F0B2 (2562257074)
Inbound esp sas:
Spi: 0x7D92B7A1 (2106767265)
Transform: esp-aes esp-md5-hmac,
In use settings = {Tunnel ,}
Conn id: 2001, flow_id: SW: 1, crypto map: mymap
Sa timing: remaining key lifetime (k/sec): (4557387/2955)
IV size: 16 bytes
Replay detection support: Y
Status: ACTIVE
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Spi: 0x98B8F0B2 (2562257074)
Transform: esp-aes esp-md5-hmac,
In use settings = {Tunnel ,}
Conn id: 2002, flow_id: SW: 2, crypto map: mymap
Sa timing: remaining key lifetime (k/sec): (4557387/2954)
IV size: 16 bytes
Replay detection support: Y
Status: ACTIVE
Outbound ah sas:
Outbound pcp sas:
Protected vrf: (none)
Local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
Current_peer v24.0.0.4 port 500
PERMIT, flags = {origin_is_acl ,}
# Pkts encaps: 10, # pkts encrypt: 10, # pkts digest: 10
# Pkts decaps: 10, # pkts decrypt: 10, # pkts verify: 10
# Pkts compressed: 0, # pkts decompressed: 0
# Pkts not compressed: 0, # pkts compr. failed: 0
# Pkts not decompressed: 0, # pkts decompress failed: 0
# Send errors 2, # recv errors 0
Local crypto endpt.: 12.0.0.1, remote crypto endpt.: 24.0.0.4
Path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
Current outbound spi: 0x50BAFCC3 (1354431683)
Inbound esp sas:
Spi: 0xACEA01A8 (2901017000)
Transform: esp-aes esp-md5-hmac,
In use settings = {Tunnel ,}
Conn id: 2003, flow_id: SW: 3, crypto map: mymap
Sa timing: remaining key lifetime (k/sec): (4394896/3482)
IV size: 16 bytes
Replay detection support: Y
Status: ACTIVE
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Spi: 0x50BAFCC3 (1354431683)
Transform: esp-aes esp-md5-hmac,
In use settings = {Tunnel ,}
Conn id: 2004, flow_id: SW: 4, crypto map: mymap
Sa timing: remaining key lifetime (k/sec): (4394896/3482)
IV size: 16 bytes
Replay detection support: Y
Status: ACTIVE
Outbound ah sas:
Outbound pcp sas:
Protected vrf: (none)
Local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
Current_peer v24.0.0.4 port 500
PERMIT, flags = {origin_is_acl ,}
# Pkts encaps: 0, # pkts encrypt: 0, # pkts digest: 0
# Pkts decaps: 0, # pkts decrypt: 0, # pkts verify: 0
# Pkts compressed: 0, # pkts decompressed: 0
# Pkts not compressed: 0, # pkts compr. failed: 0
# Pkts not decompressed: 0, # pkts decompress failed: 0
# Send errors 0, # recv errors 0
Local crypto endpt.: 12.0.0.1, remote crypto endpt.: 24.0.0.4
Path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
Current outbound spi: 0x0 (0)
Inbound esp sas:
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Outbound ah sas:
Outbound pcp sas:
Protected vrf: (none)
Local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
Remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
Current_peer 23.0.0.3 port 500
PERMIT, flags = {origin_is_acl ,}
# Pkts encaps: 0, # pkts encrypt: 0, # pkts digest: 0
# Pkts decaps: 0, # pkts decrypt: 0, # pkts verify: 0
# Pkts compressed: 0, # pkts decompressed: 0
# Pkts not compressed: 0, # pkts compr. failed: 0
# Pkts not decompressed: 0, # pkts decompress failed: 0
# Send errors 0, # recv errors 0
Local crypto endpt.: 12.0.0.1, remote crypto endpt.: 23.0.0.3
Path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
Current outbound spi: 0x0 (0)
Inbound esp sas:
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Outbound ah sas:
Outbound pcp sas:
Iv. Experiment summary:
The test results meet the requirements of enterprises. If the company has more distribution points nationwide, it is recommended to use dynamic multi-point VPN or mpls vpn.
Both static multi-point VPN and dynamic multi-point VPN are deployed by the enterprise and do not require additional fees. However, mpls vpn requires the carrier to pay, but the transmission efficiency of mpls vpn is higher, when deploying the enterprise intranet, you can select an appropriate solution based on your actual needs.
This article is from the "HoltZhang" blog and will not be reproduced!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
