DMVPN实验

实验拓扑图

图一
图二

  • 实验环境
    EVE2.0.3-86聚星网络汉化版

  • 实验要求:
    参考图2,IP地址自己配置
    R2为运营商
    在R1、R3和R4之间搭建第一层DMVPN
    在R3、R6、R7以及R4、R6、R8之间搭建两个第二层DMVPN
    R7的环回以R3为中转通过两层VPN连接R1的环回
    R8的环回以R4为中转通过两层VPN连接R1的环回

  • 思路:
    R3、R4是经过R1的查找所建立起来的隧道,
    将R1作为VPN-1-1的中心站点,R3作为VPN-2-1的中心站点,R4作为VPN-2-2的中心站点
    R6作为两个hub-spoke结构的hub只在物理上转发路由,不参与任何配置,故相当于ISP做通路由即可。
    R3和R4因为要分别在两个VPN中,故需要两个不同的tunnel口来做配置

IP

  • 过程
    ①做通路由,使得物理层面上路由可达。环回地址使用统一的10.100.0.0/16网段,以便汇总;
    ②使用MGRE环境搭建VPN
    ③使用EIGRP使路由逻辑层面可达

VPN-1-1

R1:
R1(config)#interface serial 0/0
R1(config-if)#ip address 11.1.1.1
R1(config-if)#ip address 11.1.1.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exi
R1(config)#interface lo0
R1(config-if)#ip address 10.100.1.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exi
R1(config)#ip route
R1(config)#ip route 0.0.0.0 0.0.0.0 11.1.1.2		//这里懒得写,扔一个缺省下去,本来是要写静态的
R2:
R2(config)#interface serial 0/0
R2(config-if)#ip address 11.1.1.2 255.255.255.0
R2(config-if)#no shutdown 
R2(config-if)#exi
R2(config)#interface serial 0/1
R2(config-if)#ip address 13.1.1.2 255.255.255.0
R2(config-if)#no shutdown 
R2(config-if)#exi
R2(config)#interface serial 0/2
R2(config-if)#ip address 14.1.1.2 255.255.255.0
R2(config-if)#no shutdown 
R2(config-if)#exi
R3:
R3(config)#interface serial 0/0
R3(config-if)#ip address 13.1.1.1 255.255.255.0
R3(config-if)#no shutdown 
R3(config-if)#exi
R3(config)#interface lo0
R3(config-if)#ip address 10.100.3.3 255.255.255.0
R3(config-if)#no shutdown 
R3(config-if)#exi
R3(config)#ip route 11.1.1.0 255.255.255.0 13.1.1.2	//这里不做R4的静态路由,R4也不做R3的
R4:
R4(config)#interface serial 0/0
R4(config-if)#ip address 14.1.1.1 255.255.255.0
R4(config-if)#no shutdown 
R4(config-if)#exi
R4(config)#interface lo0
R4(config-if)#ip address 10.100.4.4 255.255.255.0
R4(config-if)#no shutdown 
R4(config-if)#exi
R4(config)#ip route 11.1.1.0 255.255.255.0 14.1.1.2

测试连通性:

R1#ping 13.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 19/21/24 ms
R1#ping 14.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/19/20 ms

起MGRE,将R1作为中心站点,network-id为100,使用10.1.1.0/24网段

R1:
R1(config)#interface tunnel 0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#tunnel source serial 0/0
R1(config-if)#tunnel mode gre multipoint 
R1(config-if)#tunnel key 100
R1(config-if)#ip nhrp network-id 100
R1(config-if)#ip nhrp map multicast dynamic 
R1(config-if)#ip nhrp redirect 
R1(config-if)#exit
R1(config)#
R3:
R3(config)#interface tunnel 0
R3(config-if)#ip address 10.1.1.3 255.255.255.0
R3(config-if)#tunnel source serial 0/0
R3(config-if)#tunnel mode gre multipoint 
R3(config-if)#tunnel key 100
R3(config-if)#ip nhrp nhs 10.1.1.1
R3(config-if)#ip nhrp map 10.1.1.1 11.1.1.1
R3(config-if)#ip nhrp map multicast 11.1.1.1
R3(config-if)#ip nhrp network-id 100
R3(config-if)#exit
R3(config)#
R4:
R4(config)#interface tunnel 0
R4(config-if)#ip address 10.1.1.4 255.255.255.0
R4(config-if)#tunnel source serial 0/0
R4(config-if)#tunnel mode gre multipoint 
R4(config-if)#tunnel key 100
R4(config-if)#ip nhrp nhs 10.1.1.1
R4(config-if)#ip nhrp map 10.1.1.1 11.1.1.1  
R4(config-if)#ip nhrp map multicast 11.1.1.1
R4(config-if)#ip nhrp network-id 100
R4(config-if)#exit
R4(config)#

用EIGRP做动态路由;为什么要用EIGRP呢,因为宣告起来方便。。

R1:
R1(config)#router eigrp 90
R1(config-router)#network 10.0.0.0
R3:
R3(config)#router eigrp 90
R3(config-router)#network 10.0.0.0
R4:
R4(config)#router eigrp 90
R4(config-router)#network 10.0.0.0

测试VPN的连通性

R3:
R3#ping 10.100.1.1 source 10.100.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.100.3.3 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/21 ms
R3#
R4:
R4#ping 10.100.1.1 source 10.100.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.100.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 19/19/20 ms

至此VPN-1-1完成

VPN-2

VPN-2使用另一个tunnel做,以免和VPN-1冲突
先做通R3、R4与R6、R7、R8之间的物理线路

R3:
R3(config)#interface serial 0/2
R3(config-if)#ip address 103.1.1.1 255.255.255.0
R3(config-if)#no shutdown 
R3(config-if)#exi
R3(config)#ip route 104.1.1.0 255.255.255.0 103.1.1.2
R3(config)#ip route 107.1.1.0 255.255.255.0 103.1.1.2
R3(config)#ip route 108.1.1.0 255.255.255.0 103.1.1.2
R4:
R4(config)#interface serial 0/2
R4(config-if)#ip address 104.1.1.1 255.255.255.0
R4(config-if)#no shutdown 
R4(config-if)#exi
R4(config)#ip route 103.1.1.0 255.255.255.0 104.1.1.2 
R4(config)#ip route 107.1.1.0 255.255.255.0 104.1.1.2
R4(config)#ip route 108.1.1.0 255.255.255.0 104.1.1.2
R4(config)#
R6:
R6(config)#interface serial 0/0
R6(config-if)#ip address 103.1.1.2 255.255.255.0
R6(config-if)#no shutdown  
R6(config-if)#exit
R6(config)#interface serial 0/1
R6(config-if)#ip address 104.1.1.2 255.255.255.0
R6(config-if)#no shutdown 
R6(config-if)#exi
R6(config)#interface serial 0/2
R6(config-if)#ip address 107.1.1.2 255.255.255.0
R6(config-if)#no sh
R6(config-if)#exi
R6(config)#interface serial 0/3
R6(config-if)#ip address 108.1.1.2 255.255.255.0
R6(config-if)#no shutdown  
R6(config-if)#exit
R6(config)#
R7:
R7(config)#interface serial 0/1
R7(config-if)#ip address 107.1.1.1 255.255.255.0
R7(config-if)#no shutdown 
R7(config-if)#exi
R7(config)#interface lo0
R7(config-if)#ip address 10.100.7.7 255.255.255.0
R7(config-if)#no shutdown 
R7(config-if)#exi
R7(config)#ip route 0.0.0.0 0.0.0.0 107.1.1.2
R8:
R8(config)#interface serial 0/1
R8(config-if)#ip address 108.1.1.1 255.255.255.0
R8(config-if)#no shutdown 
R8(config-if)#exi
R8(config)#interface lo0
R8(config-if)#ip address 10.100.8.8
R8(config-if)#ip address 10.100.8.8 255.255.255.0
R8(config-if)#no shutdown 
R8(config-if)#exi
R8(config)#ip route 0.0.0.0 0.0.0.0 108.1.1.2

测试连通性:

R7:
R7#ping 103.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 103.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/23 ms
R8:
R8#ping 104.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 104.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/22 ms

VPN-2-1

R3:
R3(config)#interface tunnel 1
R3(config-if)#ip address 10.2.1.3 255.255.255.0
R3(config-if)#tunnel source serial 0/2
R3(config-if)#tunnel mode gre multipoint 
R3(config-if)#tunnel key 100
R3(config-if)#ip nhrp network-id 100
R3(config-if)#ip nhrp redirect 
R3(config-if)#
R7:
R7(config)#interface tunnel 0
R7(config-if)#ip address 10.2.1.7 255.255.255.0
R7(config-if)#no shutdown 
R7(config-if)#tunnel source serial 0/1
R7(config-if)#tunnel mode gre multipoint 
R7(config-if)#tunnel key 100
R7(config-if)#ip nhrp nhs 10.2.1.3
R7(config-if)#ip nhrp network-id 100
R7(config-if)#ip nhrp map 10.2.1.3 103.1.1.1
R7(config-if)#ip nhrp map multicast 103.1.1.1
R7(config-if)#

测试tunnel连通性:

R7#ping 10.2.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/20/23 ms
R7#

还是起EIGRP

R7(config)#router eigrp 90
R7(config-router)#net
R7(config-router)#network 10.0.0.0

测试连通性:

R7#ping 10.100.3.3 source 10.100.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.100.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/20/22 ms
R7#

R7#ping 10.100.1.1 source 10.100.7.7 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.100.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 35/39/44 ms
R7#

验证路径:

R7#traceroute 10.100.1.1 source 10.100.7.7
Type escape sequence to abort.
Tracing the route to 10.100.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.1.3 20 msec 21 msec 20 msec
  2 10.1.1.1 39 msec *  45 msec
R7#

至此,VPN-2-1完成

VPN-2-2

R4:
R4(config)#interface tunnel 1
R4(config-if)#ip address 10.2.1.4 255.255.255.0
R4(config-if)#no shutdown 
R4(config-if)#tunnel source serial 0/2
R4(config-if)#tunnel mode gre multipoint 
R4(config-if)#tunnel key 100
R4(config-if)#ip nhrp network-id 100
R4(config-if)#ip nhrp redirect 
R4(config-if)#exit
R4(config)#
R8:
R8(config)#interface tunnel 0
R8(config-if)#ip address 10.2.1.8 255.255.255.0
R8(config-if)#no shutdown 
R8(config-if)#tunnel source serial 0/1
R8(config-if)#tunnel mode gre multipoint 
R8(config-if)#tunnel key 100
R8(config-if)#ip nhrp network-id 100
R8(config-if)#ip nhrp nhs 10.2.1.4
R8(config-if)#ip nhrp map 10.2.1.4 104.1.1.1
R8(config-if)#ip nhrp map multicast 104.1.1.1
R8(config-if)#exit
R8(config)#

测试tunnel

R8(config)#do ping 10.2.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 19/20/21 ms
R8(config)#

EIGRP

R8(config)#router eigrp 90
R8(config-router)#network 10.0.0.0
R8(config-router)#exit
R8(config)#

测试:

R8#ping 10.100.1.1 source 10.100.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.100.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 37/41/43 ms
R8#

验证

R8#traceroute 10.100.1.1 source 10.100.8.8
Type escape sequence to abort.
Tracing the route to 10.100.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.1.4 21 msec 20 msec 19 msec
  2 10.1.1.1 42 msec *  40 msec
R8#

在此实验的基础上,还可以加上IPSEC,形成GREoverIPSEC,来保证路由数据的安全。
至此,本次实验的所有要求全部完成,关于DMVPN的详解以及本实验的详细抓包在日后会在其他的文章中给出

BTW.
此外还有一个很有意思的现象,当我将R8上tunnel0的ip nhrp nhs设置为动态,10.2.1.4(R4)为主,10.2.1.3(R3)为备时,刚开始ip nhrp表如下
在这里插入图片描述
而当我尝试着去ping 10.100.3.3(R3环回)时,却出现了如下情况:
在这里插入图片描述
而且此时再查看ip nhrp表,会发现多了点东西:
在这里插入图片描述
那么问题就来了,这是为什么呢?

展开阅读全文

没有更多推荐了,返回首页