配置来自某些 VLAN 的流量以通过 DMVPN [GNS3]

网络工程 思科 路由 局域网 虚拟专用网 gns3
2022-02-14 17:41:03

我在 GNS3 中有以下设置:在此处输入图像描述

右边还有其他设备,但现在不需要它们。我有一个 DMVPN,将路由器 1 作为集线器,将路由器 2、3 和 4 作为辐条。在交换机上,我的用户 VLAN 配置如下:

交换机 1 - VLAN10;

交换机 2 - VLAN20;

交换机 3 - VLAN30。

一切正常。现在我想添加一个配置,以便来自一个 VLAN(例如 VLAN10)的流量始终通过隧道,而来自其他 VLAN(VLAN20 和 VLAN30)的流量则不会。我进行了广泛的搜索,但找不到我要找的确切内容。有人可以告诉我所需的命令或指向描述它的指南吗?

先感谢您。

Router1的PS配置:

Current configuration : 4080 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip icmp rate-limit unreachable
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.60.2
!
ip dhcp pool NEWPOOL1
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 8.8.8.8
!
ip dhcp pool NEWPOOL2
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 8.8.8.8
!
ip dhcp pool NEWPOOL3
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 dns-server 8.8.8.8
!
!
no ip domain lookup
ip domain name Router1.net
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$0HIq$mwZCmYYlKzNxi1qnQ6Hiq0
!
redundancy
!
!
ip tcp synwait-time 5
ip ssh version 2
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key freeride address 0.0.0.0
!
!
crypto ipsec transform-set NEW esp-3des esp-sha-hmac
!
crypto ipsec profile PROTECT-DMVPN
 set transform-set NEW
!
!
!
!
!
!
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip nhrp authentication NHRPkey
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile PROTECT-DMVPN
!
interface Ethernet0/0
 ip address 20.20.20.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.60
 encapsulation dot1Q 60
 ip address 192.168.60.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
!
router eigrp 10
 network 10.0.0.0 0.0.0.255
 network 20.20.20.0 0.0.0.255
 network 192.168.10.0
 network 192.168.20.0
 network 192.168.30.0
 network 192.168.60.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Ethernet0/0 overload
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 100 permit ip 192.168.60.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login local
 transport input ssh
!
!
end
1个回答

一种简单的方法是使用PBR更改路由流量。

这应该将 ping 从 VLAN 接口重定向到您想要的接口:

ip access-list extended VLAN10_TO_T0
 permit icmp 192.168.10.0 0.0.0.255 host 50.50.50.2 echo
 permit icmp 192.168.10.0 0.0.0.255 host 60.60.60.2 echo
 permit icmp 192.168.10.0 0.0.0.255 host 61.61.61.2 echo

ip access-list extended VLAN20_AND_30_TO_E0
 permit icmp 192.168.20.0 0.0.0.255 host 50.50.50.2 echo
 permit icmp 192.168.20.0 0.0.0.255 host 60.60.60.2 echo
 permit icmp 192.168.20.0 0.0.0.255 host 61.61.61.2 echo
 permit icmp 192.168.30.0 0.0.0.255 host 50.50.50.2 echo
 permit icmp 192.168.30.0 0.0.0.255 host 60.60.60.2 echo
 permit icmp 192.168.30.0 0.0.0.255 host 61.61.61.2 echo

route-map VLAN10_TO_T0 permit 10
 match ip address VLAN10_TO_T0
 set interface Tunnel0

route-map VLAN20_AND_30_TO_E0 permit 10
 match ip address VLAN20_AND_30_TO_E0
 set interface Ethernet0

interface Ethernet0/1.10
 ip policy route-map VLAN10_TO_T0

interface Ethernet0/1.20
 ip policy route-map VLAN20_AND_30_TO_E0

interface Ethernet0/1.30
 ip policy route-map VLAN20_AND_30_TO_E0

免责声明:这未经测试;我只是从记忆中创建的。

其它你可能感兴趣的问题
上一篇对仅 iBGP 的路由器有什么需求? 下一篇你会推荐 IPtables/Netfilter 作为 ISP 的主要防火墙吗?