组网及说明
告警信息
无
问题描述
总部出口路由器旁挂FW,总部和分部之间采用GRE(当然也可以采用IPSEC )
注:不用PC而采用交换机的目的是,PC没有ip unreachables enable
ip ttl-expires enable这2个命令,tracert时候观察不到具体情况。交换机按照PC配置就行,接口地址加静态路由。
过程分析
RT1(总部)
#
ip unreachables enable
ip ttl-expires enable
#
undo ip fast-forwarding load-sharing ########重点命令,否则不通。
#
#
policy-based-route PC1--PC2 permit node 10
if-match acl 3001
apply next-hop 10.1.3.2
#
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.0
ip policy-based-route PC1--PC2
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
ip address 10.1.3.1 255.255.255.0
#
#
interface Tunnel0 mode gre
ip address 10.13.1.1 255.255.255.0
source 12.1.1.1
destination 23.1.1.1
#
#
ip route-static 10.1.2.0 24 10.13.1.2
ip route-static 23.1.1.0 24 12.1.1.2
#
acl advanced 3001
description PC1---PC2
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
RT2(分支)
#
ip unreachables enable
ip ttl-expires enable
#
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 23.1.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 10.1.2.1 255.255.255.0
#
#
interface Tunnel0 mode gre
ip address 10.13.1.2 255.255.255.0
source 23.1.1.1
destination 12.1.1.1
#
#
ip route-static 10.1.1.0 24 10.13.1.1
ip route-static 10.1.3.0 24 10.13.1.1
ip route-static 12.1.1.0 24 23.1.1.2
FW
ip unreachables enable
ip ttl-expires enable
#
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 10.1.3.2 255.255.255.0
#
#
security-zone name Trust
import interface GigabitEthernet1/0/0
#
#
ip route-static 0.0.0.0 0 10.1.3.1
#
#
security-policy ip
rule 0 name test
action pass
解决方法
undo ip fast-forwarding load-sharing ########重点命令,否则不通。