24.1. 本地移動性(Local Area Mobility)
提問 配置本地移動性來實現(xiàn)設(shè)備的網(wǎng)絡(luò)漫游
回答
歸屬地路由器HomeRouter
RouterHome#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterHome(config)#interface FastEthernet0/0
RouterHome(config-if)#ip address 192.168.10.1 255.255.255.0
RouterHome(config-if)#ip PRoxy-arp
RouterHome(config-if)#ip mobile arp
RouterHome(config-if)#exit
RouterHome(config)#router eigrp 99
RouterHome(config-router)#network 192.168.10.0
RouterHome(config-router)#default-metric 10000 10 255 1 1500
RouterHome(config-router)#redistribute mobile
RouterHome(config-router)#no auto-summary
RouterHome(config-router)#exit
RouterHome(config)#end
RouterHome#
訪問地路由器ForeignRouter
RouterForeign#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterForeign(config)#interface FastEthernet0/0
RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0
RouterForeign(config-if)#ip proxy-arp
RouterForeign(config-if)#ip mobile arp
RouterForeign(config-if)#exit
RouterForeign(config)#router eigrp 99
RouterForeign(config-router)#network 192.168.100.0
RouterForeign(config-router)#default-metric 10000 10 255 1 1500
RouterForeign(config-router)#redistribute mobile
RouterForeign(config-router)#no auto-summary
RouterForeign(config-router)#exit
RouterForeign(config)#end
RouterForeign#
注釋 Local Area Mobility是思科通過Proxy Arp來實現(xiàn)的一種簡單移動IP,只是作為沒有DHCP的暫時替代方案,當(dāng)訪問地使用ARP查到了訪問設(shè)備以后會在路由表生成一條主機路由,然后此主機路由會通過路由協(xié)議被歸屬地所學(xué)到,比如訪問地的ARP和路由表
RouterForeign#show ip arp FastEthernet0/0
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.110.1 - 000e.d7d6.1060 ARPA FastEthernet0/0
Internet 192.168.10.109 1 00b0.64ab.0580 ARPA FastEthernet0/0
Internet 192.168.110.9 21 0000.0c75.c684 ARPA FastEthernet0/0
RouterForeign#
RouterForeign#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.110.0/24 is directly connected, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
M 192.168.10.109/32 [3/1] via 192.168.10.109, 00:17:59, FastEthernet0/0
D 192.168.10.0/24 [90/2172416] via 192.168.55.11, 00:29:43, Serial0/0
C 192.168.55.0/24 is directly connected, Serial0/0
RouterForeign#
歸屬地通過EIGRP學(xué)到
RouterHome#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
D 192.168.110.0/24 [90/2172416] via 192.168.55.12, 00:31:43, Serial0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
D EX 192.168.10.109/32 [170/2172416] via 192.168.55.12, 00:18:19, Serial0/0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
C 192.168.55.0/24 is directly connected, Serial0/0
RouterHome#
進入討論組討論。24.2. 歸屬地代理(Home Agent)配置
提問 配置路由器成為移動終端的歸屬地代理
回答
RouterHome#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterHome(config)#interface Loopback0
RouterHome(config-if)#ip address 192.168.9.1 255.255.255.255
RouterHome(config-if)#exit
RouterHome(config)#router mobile
RouterHome(config-router)#exit
RouterHome(config)#router eigrp 99
RouterHome(config-router)#redistribute mobile
RouterHome(config-router)#network 192.168.9.0
RouterHome(config-router)#network 192.168.10.0
RouterHome(config-router)#default-metric 10000 10 255 1 1500
RouterHome(config-router)#no auto-summary
RouterHome(config-router)#exit
RouterHome(config)#ip mobile home-agent address 192.168.9.1
RouterHome(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0
RouterHome(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0
RouterHome(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii neoshi
RouterHome(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii neoshi
RouterHome(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii neoshi
RouterHome(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii neoshi
RouterHome(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii neoshi
RouterHome(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii neoshi
RouterHome(config)#end
RouterHome#
注釋 配置歸屬地代理是配置移動IP的第一步,首先是基本的移動IP配置然后是定義Home Agent的IP地址和定義移動終端的地址段,最后是配置對不同移動終端的認證,對于認證也可以使用AAA來增強擴展性
RouterHome(config)#aaa new-model
RouterHome(config)#aaa authorization ipmobile default group tacacs+
RouterHome(config)#ip mobile secure mn-aaa spi 200 algorithm md5
注重一點移動IP隧道使用的IP協(xié)議號是55
24.3. 訪問地代理(Foreign Agent)配置
提問 配置路由器成為移動終端的訪問地代理
回答
RouterForeign#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterForeign(config)#router mobile
RouterForeign(config-router)#exit
RouterForeign(config)#router eigrp 99
RouterForeign(config-router)#network 192.168.110.0
RouterForeign(config-router)#no auto-summary
RouterForeign(config-router)#exit
RouterForeign(config)#interface Ethernet0/0
RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0
RouterForeign(config-if)#ip irdp
RouterForeign(config-if)#ip mobile foreign-service
RouterForeign(config-if)#exit
RouterForeign(config)#ip mobile foreign-agent care-of Ethernet0/0
RouterForeign(config)#end
RouterForeign#
注釋 移動IP的第二步配置就是配置訪問地代理,初始配置和歸屬地代理配置基本相同,然后就是在接口啟用IRDP,移動終端通過IRDP來發(fā)現(xiàn)訪問地代理地址,然后啟用歸屬地代理,最后是配置歸屬地的轉(zhuǎn)交地址(care-of address)此地址用來和歸屬地地址建立隧道。有趣的是不論在歸屬地還是訪問地的配置中都沒有定義對端的地址,因為這個地址在移動終端會宣告。
另外為了增加安全性可以配置歸屬地代理和訪問地代理的認證
RouterHome(config)#ip mobile secure foreign-agent 192.168.110.1 spi 100 key ascii neoshi
RouterForeign(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii neoshi
24.4. 配置路由器成為移動終端
提問 配置路由器作為移動終端
回答
RouterMobile#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterMobile(config)#router mobile
RouterMobile(config-router)#exit
RouterMobile(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii neoshi
RouterMobile(config)#ip mobile router
RouterMobile(mobile-router)#address 192.168.10.112 255.255.255.0
RouterMobile(mobile-router)#home-agent 192.168.9.1
RouterMobile(mobile-router)#exit
RouterMobile(config)#interface FastEthernet0/0
RouterMobile(config-if)#ip address 192.168.10.112 255.255.255.0
RouterMobile(config-if)#ip irdp
RouterMobile(config-if)#ip mobile router-service roam
RouterMobile(config-if)#ip mobile router-service solicit
RouterMobile(config-if)#exit
RouterMobile(config)#end
RouterMobile#
注釋 從12.2(4)T以后路由器開始支持配置為移動終端
24.5. 反向隧道轉(zhuǎn)發(fā)(Reverse-Tunnel Forwarding)
提問 強制所有數(shù)據(jù)包都通過隧道轉(zhuǎn)發(fā)來避免網(wǎng)絡(luò)中為了防止地址欺騙所定義的控制列表
回答
RouterMobile#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterMobile(config)#ip mobile router
RouterMobile(mobile-router)#reverse-tunnel
RouterMobile(mobile-router)#exit
RouterMobile(config)#end
RouterMobile#
注釋 由移動終端回程的數(shù)據(jù)包到了訪問地代理后可能會通過本地路由而不是通過隧道轉(zhuǎn)發(fā)回歸屬地代理,這樣可能回違反訪問地代理的安全策略,因此啟用此特性來強制回程數(shù)據(jù)包也必須通過隧道轉(zhuǎn)發(fā),不過這個特性需要協(xié)商,驗證:
RouterForeign#show ip mobile tunnel
Mobile Tunnels:
Tunnel0:
src 192.168.110.1, dest 192.168.9.1
encap IP/IP, mode reverse-allowed, tunnel-users 1
IP MTU 1480 bytes
Path MTU Discovery, mtu: 0, ager: 10 mins, eXPires: never
outbound interface Serial0/0
FA created, fast switching enabled, ICMP unreachable enabled
105 packets input, 8462 bytes, 0 drops
0 packets output, 0 bytes
RouterForeign#
24.6. 配置歸屬地代理HSRP支持來增加冗余性
提問 通過配置多個歸屬地代理來增加冗余
回答
RouterHome1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterHome1(config)#interface FastEthernet0/0
RouterHome1(config-if)#ip address 192.168.9.2 255.255.255.0
RouterHome1(config-if)#standby 1 ip 192.168.9.1
RouterHome1(config-if)#standby 1 name HA-GROUP
RouterHome1(config-if)#exit
RouterHome1(config)#router mobile
RouterHome1(config-router)#exit
RouterHome1(config)#router eigrp 99
RouterHome1(config-router)#redistribute mobile
RouterHome1(config-router)#network 192.168.9.0
RouterHome1(config-router)#network 192.168.10.0
RouterHome1(config-router)#default-metric 10000 10 255 1 1500
RouterHome1(config-router)#no auto-summary
RouterHome1(config-router)#exit
RouterHome1(config)#ip mobile home-agent address 192.168.9.1
RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP virtual-network
RouterHome1(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0
RouterHome1(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0
RouterHome1(config)#ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco
RouterHome1(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook
RouterHome1(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook
RouterHome1(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook
RouterHome1(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook
RouterHome1(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook
RouterHome1(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook
RouterHome1(config)#end
RouterHome1#
RouterHome2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterHome2(config)#interface FastEthernet0/0
RouterHome2(config-if)#ip address 192.168.9.3 255.255.255.0
RouterHome2(config-if)#standby 1 ip 192.168.9.1
RouterHome2(config-if)#standby 1 name HA-GROUP
RouterHome2(config-if)#exit
RouterHome2(config)#router mobile
RouterHome2(config-router)#exit
RouterHome2(config)#router eigrp 99
RouterHome2(config-router)#redistribute mobile
RouterHome2(config-router)#network 192.168.9.0
RouterHome2(config-router)#network 192.168.10.0
RouterHome2(config-router)#default-metric 10000 10 255 1 1500
RouterHome2(config-router)#no auto-summary
RouterHome2(config-router)#exit
RouterHome2(config)#ip mobile home-agent address 192.168.9.1
RouterHome2(config)#ip mobile home-agent redundancy HA-GROUP virtual-network
RouterHome2(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0
RouterHome2(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0
RouterHome2(config)#ip mobile secure home-agent 192.168.9.2 spi 100 key ascii cisco
RouterHome2(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook
RouterHome2(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook
RouterHome2(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook
RouterHome2(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook
RouterHome2(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook
RouterHome2(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook
RouterHome2(config)#end
RouterHome2#
注釋 使用HSRP的虛擬地址來作為歸屬地地址來增加冗余,另外多了ip mobile home-agent redundancy HA-GROUP virtual-network 命令來關(guān)聯(lián)相應(yīng)的HSRP組,同時需要配置兩個歸屬地代理之間的認證來同步信息ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco
進入討論組討論。新聞熱點
疑難解答
圖片精選
