实验条件
网络拓朴
环境配置
在我的资源里可以下载(就在这篇文章的开头也可以下载)
开始配置
先检测3台路由都能通过公网IP互联互通、
R2#ping 13.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.1.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R2#ping 14.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#
基础有了
部署MGRE
R2:
interface tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source Ethernet0/0
tunnel mode gre multipoint
R3:
interface tunnel0
ip address 10.1.1.3 255.255.255.0
tunnel source Ethernet0/1
tunnel mode gre multipoint
R4:
interface tunnel0
ip address 10.1.1.4 255.255.255.0
tunnel source Ethernet0/2
tunnel mode gre multipoint
部署NHRP
R2 Hub:
interface tunnel0
ip nhrp network 100
ip nhrp authentication D-CISCO
ip nhrp map multicast dynamic
R3 Spoke:
interface tunnel0
ip nhrp network 100
ip nhrp authentication D-CISCO
ip nhrp map 10.1.1.2 12.1.1.2
ip nhrp map multicast 12.1.1.2
ip nhrp nhs 10.1.1.2
R4 Spoke:
interface tunnel0
ip nhrp network 100
ip nhrp authentication D-CISCO
ip nhrp map 10.1.1.2 12.1.1.2
ip nhrp map multicast 12.1.1.2
ip nhrp nhs 10.1.1.2
检测网络是否连通(私网IP)
R4#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R4#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R4#
部署动态路由协议
OSPF协议
宣告网络时,注意不能宣告公网的IP(12段、13段、14段网络),
只宣告公网,不宣告私网IP,无法建立邻居,因为没有私网的IP,MGRE不会把hello包报文通过tunnel转发给HUB,
同时宣告公网和私网IP,会造成邻居关系翻滚。也不行
只能宣告私网IP以及除tunnel source口IP的其它IP。
R2 Hub:
router ospf 100
router-id 2.2.2.2
network 10.2.2.2 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0
R3 Spoke:
router ospf 100
router-id 3.3.3.3
network 10.3.3.3 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0
R4 Spoke:
router ospf 100
router-id 4.4.4.4
network 10.4.4.4 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0
检查配置结果
R2,R3,R4一直报错
R2(config-router)#
*Apr 5 15:39:26.093: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done
*Apr 5 15:39:26.097: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.098: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.099: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.099: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.100: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.101: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.101: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.102: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:26.102: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
R2(config-router)#
*Apr 5 15:39:27.096: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.097: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from LOADING to FULL, Loading Done
*Apr 5 15:39:27.097: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.098: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.098: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.099: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.100: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.100: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.106: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr 5 15:39:27.106: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
因为默认tunnel接口的ospf网络类型是p2p,这样的话OSPF认为对方是一个路由器,所以一会儿收到R3的hello就和R3建邻居,一会儿收到R4的hello包就重置R3的邻居重新和R4建邻居,造成邻居关系翻滚。因此把接口类型改成点对多点即可以(也可以修改成为广播类型,不过样的话,需要手动指定R2为DR类型才可以)。
修改
R2/R3/R4:
interface tunnel0
ip ospf network point-to-multipoint
随后提示邻居起来,路由传递成功。
网络优化
R3#traceroute 10.1.1.4
Type escape sequence to abort.
Tracing the route to 10.1.1.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.2 1 msec 1 msec 0 msec
2 10.1.1.4 1 msec * 1 msec
R3#
现在所有的网络流量都需要从R2走,调整一下策略,让SPOKE之间动态的建立路由,直接通信
可以进行以下修改
R2:
interface tunnel 0
ip nhrp redirect
R3:
interface tunnel 0
ip nhrp shortcut
R4:
interface tunnel 0
ip nhrp shortcut
再次测试
R3#traceroute 10.4.4.4
Type escape sequence to abort.
Tracing the route to 10.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.2 1 msec 0 msec 0 msec
2 10.1.1.4 5 msec * 6 msec
!前几个包需要触发两个SPOKE之间建立连接,所以可能还是和之前一样
R3#traceroute 10.4.4.4
Type escape sequence to abort.
Tracing the route to 10.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.4 6 msec * 5 msec
!路由条目前面出现了%, 下一跳被覆盖了
R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 13.1.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 13.1.1.1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
O 10.1.1.2/32 [110/1000] via 10.1.1.2, 00:11:06, Tunnel0
L 10.1.1.3/32 is directly connected, Tunnel0
O % 10.1.1.4/32 [110/2000] via 10.1.1.2, 00:07:59, Tunnel0
O 10.2.2.2/32 [110/1001] via 10.1.1.2, 00:11:06, Tunnel0
C 10.3.3.3/32 is directly connected, Loopback0
O % 10.4.4.4/32 [110/2001] via 10.1.1.2, 00:07:59, Tunnel0
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.1.1.0/24 is directly connected, Ethernet0/1
L 13.1.1.3/32 is directly connected, Ethernet0/1
!通过查看show ip nhrp shorcut也能发现下一跳有变化:
R3#show ip nhrp shortcut
10.1.1.4/32 via 10.1.1.4
Tunnel0 created 00:04:14, expire 00:06:01
Type: dynamic, Flags: router nhop rib nho
NBMA address: 14.1.1.4
10.4.4.4/32 via 10.1.1.4
Tunnel0 created 00:03:58, expire 00:06:01
Type: dynamic, Flags: router used rib nho
NBMA address: 14.1.1.4
R3#
EIGRP协议
注:配置EIGRP前先清空OSPF配置
配置EIGRP
R2:
router eigrp 100
router-id 2.2.2.2
network 10.1.1.0 0.0.0.255
network 10.2.2.2 0.0.0.0
R3:
router eigrp 100
router-id 3.3.3.3
network 10.1.1.0 0.0.0.255
network 10.3.3.3 0.0.0.0
R4:
router eigrp 100
router-id 4.4.4.4
network 10.1.1.0 0.0.0.255
network 10.4.4.4 0.0.0.0
检查路由表
R2(config-router)#do show ip route
......
S* 0.0.0.0/0 [1/0] via 12.1.1.1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
L 10.1.1.2/32 is directly connected, Tunnel0
C 10.2.2.2/32 is directly connected, Loopback0
D 10.3.3.3/32 [90/27008000] via 10.1.1.3, 00:00:18, Tunnel0
D 10.4.4.4/32 [90/27008000] via 10.1.1.4, 00:00:14, Tunnel0
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.1.1.0/24 is directly connected, Ethernet0/0
L 12.1.1.2/32 is directly connected, Ethernet0/0
R3(config-router)#do show ip route
......
S* 0.0.0.0/0 [1/0] via 13.1.1.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
L 10.1.1.3/32 is directly connected, Tunnel0
D 10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:01:07, Tunnel0
C 10.3.3.3/32 is directly connected, Loopback0
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.1.1.0/24 is directly connected, Ethernet0/1
L 13.1.1.3/32 is directly connected, Ethernet0/1
R4(config-router)#do show ip route
......
S* 0.0.0.0/0 [1/0] via 14.1.1.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
L 10.1.1.4/32 is directly connected, Tunnel0
D 10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:01:18, Tunnel0
C 10.4.4.4/32 is directly connected, Loopback0
14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 14.1.1.0/24 is directly connected, Ethernet0/2
L 14.1.1.4/32 is directly connected, Ethernet0/2
现在配置了EIGRP后,R2能收到R3和R4传给它的路由,
但是R3和R4收不到彼此通告的路由,这是由于EIGRP是距离矢量协议,传递的就是路由信息,R2能从tunnel口收到R3通告的路由,但由于水平分割的原因不会再从tunnel口发送出去,所以R4收不到该路由;同理,R3收不到R4的路由
R2的tunnel0关闭EIGRP水平分割,让SPOKE之间可以互相收到对方的路由
R2#conf t
R2(config)#interface tunnel 0
R2(config-if)#no ip split-horizon eigrp 100
R3(config-router)#do show ip route
......
S* 0.0.0.0/0 [1/0] via 13.1.1.1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
L 10.1.1.3/32 is directly connected, Tunnel0
D 10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:04:45, Tunnel0
C 10.3.3.3/32 is directly connected, Loopback0
D 10.4.4.4/32 [90/28288000] via 10.1.1.2, 00:00:35, Tunnel0
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.1.1.0/24 is directly connected, Ethernet0/1
L 13.1.1.3/32 is directly connected, Ethernet0/1
R4(config-router)#do show ip route
......
S* 0.0.0.0/0 [1/0] via 14.1.1.1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
L 10.1.1.4/32 is directly connected, Tunnel0
D 10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:05:05, Tunnel0
D 10.3.3.3/32 [90/28288000] via 10.1.1.2, 00:00:57, Tunnel0
C 10.4.4.4/32 is directly connected, Loopback0
14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 14.1.1.0/24 is directly connected, Ethernet0/2
L 14.1.1.4/32 is directly connected, Ethernet0/2
现在R3和R4能收到彼此的环回口路由了(之前NHRP配置了Redirect和shortcut仍然有效)
R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.2 1 msec 0 msec 1 msec
2 10.1.1.3 6 msec * 1 msec
R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.3 1 msec * 0 msec
R4#show ip nhrp shortcut
10.1.1.3/32 via 10.1.1.3
Tunnel0 created 00:00:51, expire 00:09:08
Type: dynamic, Flags: router nhop rib
NBMA address: 13.1.1.3
10.3.3.3/32 via 10.1.1.3
Tunnel0 created 00:00:51, expire 00:09:08
Type: dynamic, Flags: router used rib nho
NBMA address: 13.1.1.3
需要注意看R2的tunnel0接口下有没有被配置了(ip next-hop-self eigrp 100),如果被配置的话,需要no掉,不然,路由的下一跳仍然指向R2,这样就达不到优先网络的目的了。
配置IPsec
R2上配置IPSec
!配置身份认证时,对端peer由于是动态的,需要用0.0.0.0
crypto isakmp policy 10
encryption aes 256
authentication pre-share
hash sha256
group 5
lifetime 3600
crypto isakmp key d-cisco address 0.0.0.0
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile MYPROFILE
set transform-set MYSET
interface tunnel0
tunnel protection ipsec profile MYPROFILE
R3/R4上配置IPSec
!配置身份认证时,对端peer由于是动态的,需要用0.0.0.0
crypto isakmp policy 10
encryption aes 256
authentication pre-share
hash sha256
group 5
lifetime 3600
crypto isakmp key d-cisco address 0.0.0.0
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile MYPROFILE
set transform-set MYSET
interface tunnel0
tunnel protection ipsec profile MYPROFILE
检测结果
R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.2 5 msec 5 msec 5 msec
2 10.1.1.3 6 msec * 5 msec
R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.3 5 msec * 7 msec
R4#show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 13.1.1.3 port 500
Session ID: 0
IKEv1 SA: local 14.1.1.4/500 remote 13.1.1.3/500 Active
Session ID: 0
IKEv1 SA: local 14.1.1.4/500 remote 13.1.1.3/500 Active
IPSEC FLOW: permit 47 host 14.1.1.4 host 13.1.1.3
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 12.1.1.2 port 500
Session ID: 0
IKEv1 SA: local 14.1.1.4/500 remote 12.1.1.2/500 Active
Session ID: 0
IKEv1 SA: local 14.1.1.4/500 remote 12.1.1.2/500 Active
IPSEC FLOW: permit 47 host 14.1.1.4 host 12.1.1.2
Active SAs: 4, origin: crypto map
数据通讯已被加密