以上图拓扑为例,讲解DMVPN的配置。最上面为HUB路由器模拟公司中心站点,起环回口11.1.1.1/24,下面两个为spoke路由器,模拟分支机构的路由器,分别起环回口3.3.3.3/24、4.4.4.4/24。134.134.134.0/24为mGRE隧道网络。
一、基本网络配置
HUB上的配置
hostname HUB
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 12.12.12.1 255.255.255.0
duplex auto
ip route 0.0.0.0 0.0.0.0 12.12.12.2Internet-R基本配置
hostname Internet-R
!
interface Ethernet0/0
ip address 12.12.12.2 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 23.23.23.2 255.255.255.0
duplex auto
!
interface Ethernet0/2
ip address 24.24.24.2 255.255.255.0
duplex auto
Spoke3上的基本配置
hostname Spoke3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/1
ip address 23.23.23.3 255.255.255.0
duplex auto
ip route 0.0.0.0 0.0.0.0 23.23.23.2Spoke4上的基本配置
hostname Spoke4
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/2
ip address 24.24.24.4 255.255.255.0
duplex auto
ip route 0.0.0.0 0.0.0.0 24.24.24.2二、mGRE与NHRP配置
HUB上的配置
---------------mGRE配置-------------------
interface Tunnel0
ip address 134.134.134.1 255.255.255.0
tunnel mode gre multipoint
<配置隧道模式为多点GRE>
tunnel source 12.12.12.1
tunnel key 12345
<配置隧道密钥为12345,用于标识隧道接口>
---------------NHRP配置-------------------
ip nhrp network-id 10
<激活NHRP,所有站点的"network-id"建议相同>
ip nhrp authentication cisco
<可选配置:激活NHRP认证,认证密码为cisco>
ip nhrp map multicast dynamic
<动态接收NHRP的组播映射>
Spoke3上的配置
---------------mGRE配置-------------------
interface Tunnel0
ip address 134.134.134.3 255.255.255.0
tunnel mode gre multipoint
<配置隧道模式为多点GRE>
tunnel source 23.23.23.3
tunnel key 12345
<配置隧道密钥为12345,用于标识隧道接口>
---------------NHRP配置-------------------
ip nhrp network-id 10
ip nhrp authentication cisco
ip nhrp map 134.134.134.1 12.12.12.1
< 手动NHRP映射,映射中心站点的隧道虚拟ip到中心站点的公网ip。有了这个映射,分支站点才能访问中心站点>
ip nhrp map multicast 12.12.12.1
<mGRE是NBMA网络,分支站点要和中心站点建立动态路由协议的邻居关系,必须在每一个分支站点,映射组播到中心站点的公网ip。这样才能把分支站点的组播送到中心站点,并且可以看到分支站点间没有组播映射,所以分支站点间没有动态路由协议的邻居关系>
ip nhrp nhs 12.12.12.1
<NHS就是NHRP服务器,这个配置定义了NHRP服务器地址为中心站点的隧道接口虚拟地址>
Spoke4上的配置
---------------mGRE配置-------------------
interface Tunnel0
ip address 134.134.134.4 255.255.255.0
tunnel mode gre multipoint
tunnel source 24.24.24.4
tunnel key 12345
---------------NHRP配置-------------------
ip nhrp network-id 10
ip nhrp authentication cisco
ip nhrp map 134.134.134.1 12.12.12.1
ip nhrp map multicast 12.12.12.1
ip nhrp nhs 12.12.12.1
三、测试NHRP
在HUB上查询NHRP注册信息,我们可以看到spoke3 和spoke4的动态注册。
HUB#show ip nhrp
134.134.134.3/32 via 134.134.134.3
Tunnel0 created 00:49:51, expire 00:09:04
Type: dynamic, Flags: registered nhop
<由于注册动态获取的映射信息>
NBMA address: 23.23.23.3
<映射spoke3的虚拟ip地址:134.134.134.3到公网ip地址:23.23.23.3>
134.134.134.4/32 via 134.134.134.4
Tunnel0 created 00:49:51, expire 00:09:04
Type: dynamic, Flags: registered nhop
NBMA address: 24.24.24.4
<映射spoke4的虚拟ip地址:134.134.134.4到公网ip地址:24.24.24.4>
spoke3的NHRP映射信息
Spoke3#show ip nhrp
134.134.134.1/32 via 134.134.134.1
Tunnel0 created 00:51:42, never expire
Type: static, Flags: used
<静态的NHRP映射>
NBMA address: 12.12.12.1
<映射HUB的虚拟ip地址134.134.134.1到公网ip地址:12.12.12.1>
spoke3上ping测试spoke4
Spoke3#ping 134.134.134.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 134.134.134.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/9/16 ms
spoke3上的NHRP
Spoke3#show ip nhrp
134.134.134.1/32 via 134.134.134.1
Tunnel0 created 01:21:56, never expire
Type: static, Flags: used
NBMA address: 12.12.12.1
134.134.134.3/32 via 134.134.134.3
Tunnel0 created 00:02:46, expire 00:07:13
Type: dynamic, Flags: router unique local
NBMA address: 23.23.23.3
(no-socket)
134.134.134.4/32 via 134.134.134.4
Tunnel0 created 00:02:46, expire 00:07:13
Type: dynamic, Flags: router used nhop
NBMA address: 24.24.24.4
动态建立了到spoke4的映射
四、动态路由协议
HUB上的eigrp
router eigrp 100
network 1.1.1.0 0.0.0.255
network 134.134.134.0 0.0.0.255
spoke3上的eigrp
router eigrp 100
network 3.3.3.0 0.0.0.255
network 134.134.134.0 0.0.0.255
spoke4上的eigrp
router eigrp 100
network 4.4.4.0 0.0.0.255
network 134.134.134.0 0.0.0.255
五、测试与调整EIGRP
查看HUB上的eigrp领居关系
HUB(config)#do show ip eigrp nei
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 134.134.134.3 Tu0 12 00:01:33 31 1362 0 9
0 134.134.134.4 Tu0 12 00:01:33 31 1362 0 8
建立了eigrp的邻居关系。
看HUB通过eigrp学习到的路由
HUB(config)#do show ip route eigrp
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/27008000] via 134.134.134.3, 00:03:02, Tunnel0
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/27008000] via 134.134.134.4, 00:02:57, Tunnel0
中心站点学习到了分支站点的所有路由,中心站点和分支站点之间建立了动态路由协议的邻居关系,而分支站点间没有邻居关系。这主要是由NHRP的组播映射决定的,因为只有在中心站点和分支站点间才存在组播映射,分支站点与分站点间不存在组播映射。
查看 spoke3上的eigrp邻居关系
Spoke3#show ip eigrp nei
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 134.134.134.1 Tu0 14 00:04:36 34 1398 0 16
查看 spoke3上学习到的eigrp路由
Spoke3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/27008000] via 134.134.134.1, 00:06:13, Tunnel0
可以看到分支站点只学习到了中心站点内部网络的路由,而没有学习到其它分支站点内部网络的路由。造成这个问题的主要原因是中心站点隧道接口水平分割特性。
为了解决分支站点只能学习到中心站点内部网络路由的问是,在中心站点(hub)的隧道接口上关闭水平分割特性,如下:
HUB(config)#int tu0
HUB(config-if)#no ip split-horizon eigrp 100
中心站点关闭水平分割特性之后,查看spoke3上的路由表,可以发现spoke3通过eigrp学习到了分支站点spoke4的内部网络的路由。
Spoke3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/27008000] via 134.134.134.1, 00:17:54, Tunnel0
4.0.0.0/24 is subnetted, 1 subnets
D 4.4.4.0 [90/28288000] via 134.134.134.1, 00:02:42, Tunnel0
两条路由的下一跳都是134.134.134.1
但是路由的下一跳都是中心站点(134.134.134.1)。显然,为实现DMVPN分支站点间直接通信的特性,我们希望在分支站点spoke3上学习到4.4.4.0/24的下一跳为134.134.134.4(spoke4隧道接口虚拟ip地址)。
为了优化分支站点学习到的eigrp路由,在中心站点hub的隧道接口中 eigrp的”next-hop-self”特性,见下面:
HUB(config-if)#no ip next-hop-self eigrp 100
在中心站点对 eigrp时行 路由优化之后,在分支站点spoke3上查看通过eigrp学习到的路由,可以看到学习到了分支站点spoke4内部网络的路由,下一跳为分支站点spoke4 隧道接口虚拟ip地址,同理spoke4 上也学习到了sopke3内部网络的路由,下一跳为分支站点spoke3 隧道接口虚拟ip地址。
六、配置IPSec vpn
IPSec vpn的任务只是对mGRE的流量进行加密
HUB上的IPSec vpn配置
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set trans134 esp-des esp-md5-hmac
mode transport
!
!
crypto ipsec profile pro-134
set transform-set trans134
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip mtu 1400
<调整MTU,防止IPSec分片>
tunnel protection ipsec profile pro-134
spoke3上的IPSec vpn配置
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
<由于分支站点间是直接建立隧道,所以共享密钥的地址应该是8个零>
!
!
crypto ipsec transform-set trans134 esp-des esp-md5-hmac
mode transport
!
!
crypto ipsec profile pro-134
set transform-set trans134
!
!
interface Tunnel0
no ip redirects
ip mtu 1400
tunnel protection ipsec profile pro-134
!
spoke4上的IPSec vpn配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set trans134 esp-des esp-md5-hmac
mode transport
!
!
crypto ipsec profile pro-134
set transform-set trans134
interface Tunnel0
ip mtu 1400
tunnel protection ipsec profile pro-134
七、查看DMVPN 状态
HUB 上的IPSec SA状态,可以看到中心站点到两个分支站点之间的隧道,这个隧道可以理解为永恒的,只要分支站点在线,这个隧道就会建立。
HUB#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (24.24.24.4/255.255.255.255/47/0)
current_peer 24.24.24.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2725, #pkts encrypt: 2725, #pkts digest: 2725
#pkts decaps: 2724, #pkts decrypt: 2724, #pkts verify: 2724
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 24.24.24.4
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x8660834(140904500)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x653F0CD8(1698630872)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 13, flow_id: SW:13, sibling_flags C0004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4203386/605)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xCB6EF074(3413045364)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 17, flow_id: SW:17, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4276484/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x65E5F2BE(1709568702)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 14, flow_id: SW:14, sibling_flags C0004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4203387/605)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x8660834(140904500)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 18, flow_id: SW:18, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4276484/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2725, #pkts encrypt: 2725, #pkts digest: 2725
#pkts decaps: 2718, #pkts decrypt: 2718, #pkts verify: 2718
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x29ED1EB7(703405751)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x477590D(74930445)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 15, flow_id: SW:15, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4326507/640)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x29ED1EB7(703405751)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 16, flow_id: SW:16, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4326507/640)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
spoke3 上的IPSec SA状态
Spoke3# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 23.23.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2793, #pkts encrypt: 2793, #pkts digest: 2793
#pkts decaps: 2802, #pkts decrypt: 2802, #pkts verify: 2802
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.23.23.3, remote crypto endpt.: 12.12.12.1
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xA70703AF(2802254767)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDCAE735(231401269)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 11, flow_id: SW:11, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4173362/3295)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA70703AF(2802254767)
transform: esp-des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 12, flow_id: SW:12, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4173362/3295)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
我们可以看到分支站点只维护与中心站点间的永恒隧道。
分支站点间的隧道是按需建立的,在spoke3上使用ping 角发分支站点间流量,动态建立分支站点间隧道。
Spoke3#ping 4.4.4.4 sou 3.3.3.3 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/14 ms
Spoke3#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 23.23.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (24.24.24.4/255.255.255.255/47/0)
current_peer 24.24.24.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 96, #pkts decrypt: 96, #pkts verify: 96
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.23.23.3, remote crypto endpt.: 24.24.24.4
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x25AD3948(632109384)
PFS (Y/N): N, DH group: none
spoke3上查看NHRP
Spoke3#show ip nhrp
134.134.134.1/32 via 134.134.134.1
Tunnel0 created 03:37:41, never expire
Type: static, Flags: used
NBMA address: 12.12.12.1
134.134.134.3/32 via 134.134.134.3
Tunnel0 created 00:04:36, expire 00:05:23
Type: dynamic, Flags: router unique local
NBMA address: 23.23.23.3
(no-socket)
134.134.134.4/32 via 134.134.134.4
Tunnel0 created 00:04:36, expire 00:05:23
Type: dynamic, Flags: router used nhop
NBMA address: 24.24.24.4
Pingback引用通告: OSPF路由协议来实现DMVPN | 鹏哥的小窝