CCIE-13-DMVPN

实验条件

网络拓朴

在这里插入图片描述

环境配置

在我的资源里可以下载(就在这篇文章的开头也可以下载)
在这里插入图片描述

开始配置

先检测3台路由都能通过公网IP互联互通、

R2#ping 13.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.1.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R2#ping 14.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#

基础有了

部署MGRE

R2interface tunnel0
 ip address 10.1.1.2 255.255.255.0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

R3interface tunnel0
 ip address 10.1.1.3 255.255.255.0
 tunnel source Ethernet0/1
 tunnel mode gre multipoint

R4interface tunnel0
 ip address 10.1.1.4 255.255.255.0
 tunnel source Ethernet0/2
 tunnel mode gre multipoint

部署NHRP

R2 Hubinterface tunnel0
 ip nhrp network 100
 ip nhrp authentication D-CISCO
 ip nhrp map multicast dynamic

R3 Spokeinterface tunnel0
 ip nhrp network 100
 ip nhrp authentication D-CISCO
 ip nhrp map 10.1.1.2 12.1.1.2
 ip nhrp map multicast 12.1.1.2
 ip nhrp nhs 10.1.1.2

R4 Spokeinterface tunnel0
 ip nhrp network 100
 ip nhrp authentication D-CISCO
 ip nhrp map 10.1.1.2 12.1.1.2
 ip nhrp map multicast 12.1.1.2
 ip nhrp nhs 10.1.1.2

检测网络是否连通(私网IP)

R4#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R4#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R4#

部署动态路由协议

OSPF协议

宣告网络时,注意不能宣告公网的IP(12段、13段、14段网络),
只宣告公网,不宣告私网IP,无法建立邻居,因为没有私网的IP,MGRE不会把hello包报文通过tunnel转发给HUB,
同时宣告公网和私网IP,会造成邻居关系翻滚。也不行
只能宣告私网IP以及除tunnel source口IP的其它IP。

R2 Hub:
router ospf 100
 router-id 2.2.2.2
 network 10.2.2.2 0.0.0.0 area 0
 network 10.1.1.0 0.0.0.255 area 0

R3 Spoke:
router ospf 100
 router-id 3.3.3.3
 network 10.3.3.3 0.0.0.0 area 0
 network 10.1.1.0 0.0.0.255 area 0

R4 Spoke:
router ospf 100
 router-id 4.4.4.4
 network 10.4.4.4 0.0.0.0 area 0
 network 10.1.1.0 0.0.0.255 area 0

检查配置结果
R2,R3,R4一直报错

R2(config-router)#
*Apr  5 15:39:26.093: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done
*Apr  5 15:39:26.097: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.098: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.099: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.099: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.100: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.101: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.101: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.102: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:26.102: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
R2(config-router)#
*Apr  5 15:39:27.096: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.097: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from LOADING to FULL, Loading Done
*Apr  5 15:39:27.097: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.098: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.098: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.099: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.100: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.100: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.106: %OSPF-5-ADJCHG: Process 100, Nbr 3.3.3.3 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset
*Apr  5 15:39:27.106: %OSPF-5-ADJCHG: Process 100, Nbr 4.4.4.4 on Tunnel0 from EXCHANGE to DOWN, Neighbor Down: Adjacency forced to reset

因为默认tunnel接口的ospf网络类型是p2p,这样的话OSPF认为对方是一个路由器,所以一会儿收到R3的hello就和R3建邻居,一会儿收到R4的hello包就重置R3的邻居重新和R4建邻居,造成邻居关系翻滚。因此把接口类型改成点对多点即可以(也可以修改成为广播类型,不过样的话,需要手动指定R2为DR类型才可以)。
修改

R2/R3/R4interface tunnel0
 ip ospf network point-to-multipoint

随后提示邻居起来,路由传递成功。

网络优化

R3#traceroute 10.1.1.4
Type escape sequence to abort.
Tracing the route to 10.1.1.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.2 1 msec 1 msec 0 msec
  2 10.1.1.4 1 msec *  1 msec
R3#

现在所有的网络流量都需要从R2走,调整一下策略,让SPOKE之间动态的建立路由,直接通信
可以进行以下修改

R2interface tunnel 0
 ip nhrp redirect

R3interface tunnel 0
 ip nhrp shortcut
 
R4interface tunnel 0
 ip nhrp shortcut

再次测试

R3#traceroute 10.4.4.4
Type escape sequence to abort.
Tracing the route to 10.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.2 1 msec 0 msec 0 msec
  2 10.1.1.4 5 msec *  6 msec
!前几个包需要触发两个SPOKE之间建立连接,所以可能还是和之前一样

R3#traceroute 10.4.4.4        
Type escape sequence to abort.
Tracing the route to 10.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.4 6 msec *  5 msec
  
!路由条目前面出现了%, 下一跳被覆盖了
R3#show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 13.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 13.1.1.1
      10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Tunnel0
O        10.1.1.2/32 [110/1000] via 10.1.1.2, 00:11:06, Tunnel0
L        10.1.1.3/32 is directly connected, Tunnel0
O   %    10.1.1.4/32 [110/2000] via 10.1.1.2, 00:07:59, Tunnel0
O        10.2.2.2/32 [110/1001] via 10.1.1.2, 00:11:06, Tunnel0
C        10.3.3.3/32 is directly connected, Loopback0
O   %    10.4.4.4/32 [110/2001] via 10.1.1.2, 00:07:59, Tunnel0
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.1.1.0/24 is directly connected, Ethernet0/1
L        13.1.1.3/32 is directly connected, Ethernet0/1

!通过查看show ip nhrp shorcut也能发现下一跳有变化:
R3#show ip nhrp shortcut
10.1.1.4/32 via 10.1.1.4
   Tunnel0 created 00:04:14, expire 00:06:01
   Type: dynamic, Flags: router nhop rib nho 
   NBMA address: 14.1.1.4 
10.4.4.4/32 via 10.1.1.4
   Tunnel0 created 00:03:58, expire 00:06:01
   Type: dynamic, Flags: router used rib nho 
   NBMA address: 14.1.1.4 
R3#

EIGRP协议

注:配置EIGRP前先清空OSPF配置
配置EIGRP

R2:
router eigrp 100
 router-id 2.2.2.2
 network 10.1.1.0 0.0.0.255
 network 10.2.2.2 0.0.0.0
 
R3:
router eigrp 100
 router-id 3.3.3.3
 network 10.1.1.0 0.0.0.255
 network 10.3.3.3 0.0.0.0
 
R4:
router eigrp 100
 router-id 4.4.4.4
 network 10.1.1.0 0.0.0.255
 network 10.4.4.4 0.0.0.0

检查路由表

R2(config-router)#do show ip route
......
S*    0.0.0.0/0 [1/0] via 12.1.1.1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Tunnel0
L        10.1.1.2/32 is directly connected, Tunnel0
C        10.2.2.2/32 is directly connected, Loopback0
D        10.3.3.3/32 [90/27008000] via 10.1.1.3, 00:00:18, Tunnel0
D        10.4.4.4/32 [90/27008000] via 10.1.1.4, 00:00:14, Tunnel0
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.1.1.0/24 is directly connected, Ethernet0/0
L        12.1.1.2/32 is directly connected, Ethernet0/0


R3(config-router)#do show ip route
......
S*    0.0.0.0/0 [1/0] via 13.1.1.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Tunnel0
L        10.1.1.3/32 is directly connected, Tunnel0
D        10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:01:07, Tunnel0
C        10.3.3.3/32 is directly connected, Loopback0
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.1.1.0/24 is directly connected, Ethernet0/1
L        13.1.1.3/32 is directly connected, Ethernet0/1


R4(config-router)#do show ip route 
......
S*    0.0.0.0/0 [1/0] via 14.1.1.1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Tunnel0
L        10.1.1.4/32 is directly connected, Tunnel0
D        10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:01:18, Tunnel0
C        10.4.4.4/32 is directly connected, Loopback0
      14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        14.1.1.0/24 is directly connected, Ethernet0/2
L        14.1.1.4/32 is directly connected, Ethernet0/2

现在配置了EIGRP后,R2能收到R3和R4传给它的路由,
但是R3和R4收不到彼此通告的路由,这是由于EIGRP是距离矢量协议,传递的就是路由信息,R2能从tunnel口收到R3通告的路由,但由于水平分割的原因不会再从tunnel口发送出去,所以R4收不到该路由;同理,R3收不到R4的路由
R2的tunnel0关闭EIGRP水平分割,让SPOKE之间可以互相收到对方的路由

R2#conf t 
R2(config)#interface tunnel 0
R2(config-if)#no ip split-horizon eigrp 100
R3(config-router)#do show ip route 
......
S*    0.0.0.0/0 [1/0] via 13.1.1.1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Tunnel0
L        10.1.1.3/32 is directly connected, Tunnel0
D        10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:04:45, Tunnel0
C        10.3.3.3/32 is directly connected, Loopback0
D        10.4.4.4/32 [90/28288000] via 10.1.1.2, 00:00:35, Tunnel0
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.1.1.0/24 is directly connected, Ethernet0/1
L        13.1.1.3/32 is directly connected, Ethernet0/1


R4(config-router)#do show ip route 
......
S*    0.0.0.0/0 [1/0] via 14.1.1.1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Tunnel0
L        10.1.1.4/32 is directly connected, Tunnel0
D        10.2.2.2/32 [90/27008000] via 10.1.1.2, 00:05:05, Tunnel0
D        10.3.3.3/32 [90/28288000] via 10.1.1.2, 00:00:57, Tunnel0
C        10.4.4.4/32 is directly connected, Loopback0
      14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        14.1.1.0/24 is directly connected, Ethernet0/2
L        14.1.1.4/32 is directly connected, Ethernet0/2

现在R3和R4能收到彼此的环回口路由了(之前NHRP配置了Redirect和shortcut仍然有效)

R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.2 1 msec 0 msec 1 msec
  2 10.1.1.3 6 msec *  1 msec
  
R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.3 1 msec *  0 msec
  
R4#show ip nhrp shortcut
10.1.1.3/32 via 10.1.1.3
   Tunnel0 created 00:00:51, expire 00:09:08
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 13.1.1.3 
10.3.3.3/32 via 10.1.1.3
   Tunnel0 created 00:00:51, expire 00:09:08
   Type: dynamic, Flags: router used rib nho 
   NBMA address: 13.1.1.3 

需要注意看R2的tunnel0接口下有没有被配置了(ip next-hop-self eigrp 100),如果被配置的话,需要no掉,不然,路由的下一跳仍然指向R2,这样就达不到优先网络的目的了。

配置IPsec

R2上配置IPSec

!配置身份认证时,对端peer由于是动态的,需要用0.0.0.0
crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 hash sha256
 group 5
 lifetime 3600
crypto isakmp key d-cisco address 0.0.0.0
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
 mode transport
crypto ipsec profile MYPROFILE
 set transform-set MYSET

interface tunnel0
 tunnel protection ipsec profile MYPROFILE

R3/R4上配置IPSec

!配置身份认证时,对端peer由于是动态的,需要用0.0.0.0
crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 hash sha256
 group 5
 lifetime 3600
crypto isakmp key d-cisco address 0.0.0.0
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
 mode transport
crypto ipsec profile MYPROFILE
 set transform-set MYSET

interface tunnel0
 tunnel protection ipsec profile MYPROFILE

检测结果

R4#traceroute 10.3.3.3                                         
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.2 5 msec 5 msec 5 msec
  2 10.1.1.3 6 msec *  5 msec
R4#traceroute 10.3.3.3
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.3 5 msec *  7 msec
R4#show crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 13.1.1.3 port 500 
  Session ID: 0  
  IKEv1 SA: local 14.1.1.4/500 remote 13.1.1.3/500 Active 
  Session ID: 0  
  IKEv1 SA: local 14.1.1.4/500 remote 13.1.1.3/500 Active 
  IPSEC FLOW: permit 47 host 14.1.1.4 host 13.1.1.3 
        Active SAs: 2, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 12.1.1.2 port 500 
  Session ID: 0  
  IKEv1 SA: local 14.1.1.4/500 remote 12.1.1.2/500 Active 
  Session ID: 0  
  IKEv1 SA: local 14.1.1.4/500 remote 12.1.1.2/500 Active 
  IPSEC FLOW: permit 47 host 14.1.1.4 host 12.1.1.2 
        Active SAs: 4, origin: crypto map

在这里插入图片描述
数据通讯已被加密

  • 19
    点赞
  • 11
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

烈火蜓蜻

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值