AR设备如何实现vpn路由表和ipv4公共路由表互通

发布时间:  2015-04-08 浏览次数:  260 下载次数:  2
问题描述

问题描述:AR设备如何实现vpn路由表和ipv4路由表互通

拓扑和ip地址如图所示:

拓扑图

AR设备初始配置如下:

ip vpn-instance pc1

 ipv4-family

  route-distinguisher 1:1

  vpn-target 1:1 export-extcommunity

  vpn-target 1:1 import-extcommunity

interface GigabitEthernet0/0/1

 ip binding vpn-instance pc1

 ip address 192.168.100.254 255.255.255.0 

#

interface GigabitEthernet0/0/2

 ip address 10.10.10.254 255.255.255.0 

在PC1上测试如下:

C:\Users>ping 192.168.100.254

  PING 192.168.100.254: 56  data bytes, press CTRL_C to break

    Reply from 192.168.100.254: bytes=56 Sequence=1 ttl=255 time=1 ms

    Reply from 192.168.100.254: bytes=56 Sequence=2 ttl=255 time=1 ms

    Reply from 192.168.100.254: bytes=56 Sequence=3 ttl=255 time=1 ms

    Reply from 192.168.100.254: bytes=56 Sequence=4 ttl=255 time=1 ms

    Reply from 192.168.100.254: bytes=56 Sequence=5 ttl=255 time=1 ms

  --- 192.168.100.254 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/1/1 ms

C:\Users>ping 10.10.10.10

  PING 10.10.10.10: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

  --- 10.10.10.10 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss


PC2上ping测试如下:

C:\>ping 10.10.10.254

  PING 10.10.10.254: 56  data bytes, press CTRL_C to break

    Reply from 10.10.10.254: bytes=56 Sequence=1 ttl=255 time=1 ms

    Reply from 10.10.10.254: bytes=56 Sequence=2 ttl=255 time=1 ms

    Reply from 10.10.10.254: bytes=56 Sequence=3 ttl=255 time=1 ms

    Reply from 10.10.10.254: bytes=56 Sequence=4 ttl=255 time=1 ms

    Reply from 10.10.10.254: bytes=56 Sequence=5 ttl=255 time=1 ms

  --- 10.10.10.254 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/1/1 ms

C:\>ping 192.168.100.10

  PING 192.168.100.10: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

  --- 192.168.100.10 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

处理过程

AR设备ipv4公共路由表:

<R1>display ip routing-table 

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 7        Routes : 7        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

     10.10.10.0/24  Direct  0    0           D   10.10.10.254    GigabitEthernet0/0/2

   10.10.10.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2

   10.10.10.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

AR设备VPN pc1路由表:

<R1>display ip routing-table vpn-instance pc1

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: pc1

         Destinations : 4        Routes : 4        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

192.168.100.0/24  Direct  0    0             D   192.168.100.254 GigabitEthernet0/0/1

192.168.100.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1

192.168.100.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1

255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

通过路由表发现,设备的vpn pc1中没有10.10.10.0/24的路由,而ipv4公共路由表中也没有192.168.100.0/24路由,导致PC1与PC2不能互通

在AR设备上添加路由表项如下:

ip route-static 192.168.100.0 255.255.255.0 vpn-instance pc1 192.168.100.10 //IPV4到VPN路由

ip route-static vpn-instance pc1 10.10.10.0 255.255.255.0 10.10.10.10 public //VPN到IPV4路由,此处需要添加关键字“public

在PC1和PC2上测试:

C:\Users>ping 10.10.10.10

  PING 10.10.10.10: 56  data bytes, press CTRL_C to break

    Reply from 10.10.10.10: bytes=56 Sequence=1 ttl=128 time=1 ms

    Reply from 10.10.10.10: bytes=56 Sequence=2 ttl=128 time=10 ms

    Reply from 10.10.10.10: bytes=56 Sequence=3 ttl=128 time=1 ms

    Reply from 10.10.10.10: bytes=56 Sequence=4 ttl=128 time=10 ms

    Reply from 10.10.10.10: bytes=56 Sequence=5 ttl=128 time=10 ms

  --- 10.10.10.10 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/6/10 ms

C:\>ping 192.168.100.10

  PING 192.168.100.10: 56  data bytes, press CTRL_C to break

    Reply from 192.168.100.10: bytes=56 Sequence=1 ttl=128 time=1 ms

    Reply from 192.168.100.10: bytes=56 Sequence=2 ttl=128 time=1 ms

    Reply from 192.168.100.10: bytes=56 Sequence=3 ttl=128 time=10 ms

    Reply from 192.168.100.10: bytes=56 Sequence=4 ttl=128 time=10 ms

    Reply from 192.168.100.10: bytes=56 Sequence=5 ttl=128 time=10 ms

  --- 192.168.100.10 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/6/10 ms

再查看路由表:

<R1>display ip routing-table 

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 8        Routes : 8        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

     10.10.10.0/24  Direct  0    0           D   10.10.10.254    GigabitEthernet0/0/2

   10.10.10.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2

   10.10.10.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

  192.168.100.0/24  Static  60   0          RD   192.168.100.10  GigabitEthernet0/0/1

255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

<R1>display ip routing-table vpn-instance pc1

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: pc1

         Destinations : 5        Routes : 6        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

     10.10.10.0/24  Static  60   0          RD   10.10.10.10     GigabitEthernet0/0/2

  192.168.100.0/24  Direct  0    0           D   192.168.100.254 GigabitEthernet0/0/1

192.168.100.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1

192.168.100.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1

255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0



根因

导致PC1和PC2不能通信的原因是:PC1和PC2数据转发基于不同的路由表,两张路由表是相互隔离的。需要使用手工添加静态的方法,使两张路由表都能有到达目的网段路由。

路由添加方法如下:

私网(vpn)到公网(ipv4):ip route-static vpn-instance vpn-source-name destination-address mask nexthop-address public 

公网(ipv4)到私网(vpn):ip route-static  destination-address mask vpn-instance vpn-source-name nexthop-address

END