MGRE:多个节点构建为一个网段;结构为中心到站点结构;站点可以基于NHRP实现ip地址不固定
又称DSVPN 自动智能VPN = MGRE + IPSEC,MGRE属于NBMA网络类型
为实现DSVPN功能,需要创建Tunnel接口并将其配置为mGRE类型。mGRE接口只需配置源地址或源接口,不需要指定目的地址,这样可以实现一个mGRE隧道接口上存在多条GRE隧道,对应多个GRE对端,简化设备上GRE的配置。
越来越多的企业希望建立Hub-Spoke方式的IPSec VPN网络将企业总部(Hub)与地理位置不同的多个分支(Spoke)相连,从而加强企业的通信安全、降低通信成本。当企业总部采用静态的公网地址接入Internet,分支机构采用动态的公网地址接入Internet时,使用传统的IPSec、GRE over IPSec等技术构建VPN网络将存在一个问题,即分支之间无法直接通信(源分支无法获取目的分支公网地址,也就无法在分支之间直接建立隧道),所有分支之间的通信数据只能由总部中转.
实验要求
- R1-R3-R4构建全连的MGRE环境
- R1-R5-R6建立hub-spoke的MGRE环境,其中R1为中心
- R1-R3…R6均存在环回网段模拟用户私网,使用OSPF使全网可达
- 其中R2为ISP路由器,仅配置IP地址
网络拓扑
全连MGRE
R1
[Huawei]int g 0/0/1
[Huawei-GigabitEthernet0/0/1]ip ad 10.0.0.1 8
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0 10.0.0.2
[Huawei]ip route-static 0.0.0.0 0 60.0.0.2
[Huawei]int t 0/0/0 # 搭建虚拟隧道
[Huawei-Tunnel0/0/0]ip ad 192.168.2.1 24
[Huawei-Tunnel0/0/0]tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0]source 10.0.0.1
[Huawei-Tunnel0/0/0]nhrp network-id 100
[Huawei-Tunnel0/0/0]nhrp entry multicast dynamic #既是中心
[Huawei-Tunnel0/0/0]nhrp entry 192.168.2.3 register #又是分支
[Huawei-Tunnel0/0/0]nhrp entry 192.168.2.4 register
tunnel-protocol命令用来配置Tunnel接口的隧道协议。
gre 配置Tunnel接口的隧道协议为GRE。
source命令用来配置Tunnel源地址或源接口。
nhrp entry multicast dynamic命令用来使能将动态注册的分支加入NHRP组播成员表功能
执行命令nhrp network-id netId,配置接口所属NHRP域。
R2
IP配置
[Huawei]int g 0/0/1
[Huawei-GigabitEthernet0/0/1]ip ad 10.0.0.2 8
[Huawei-GigabitEthernet0/0/1]int g 0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 60.0.0.2 8
[Huawei-GigabitEthernet0/0/0]int g 0/0/2
[Huawei-GigabitEthernet0/0/2]ip ad 20.0.0.2 8
[Huawei-GigabitEthernet0/0/2]int g 3/0/0
[Huawei-GigabitEthernet3/0/0]ip ad 30.0.0.2 8
[Huawei-GigabitEthernet3/0/0]int g 4/0/0
[Huawei-GigabitEthernet4/0/0]ip ad 40.0.0.2 8
[Huawei-GigabitEthernet4/0/0]int g 2/0/0
[Huawei-GigabitEthernet2/0/0]ip ad 50.0.0.2 8
R3
[Huawei]int g 0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 20.0.0.1 8
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0 20.0.0.2
[Huawei]int t 0/0/0
[Huawei-Tunnel0/0/0]ip ad 192.168.2.3 24
[Huawei-Tunnel0/0/0]tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0]source 20.0.0.1
[Huawei-Tunnel0/0/0]nhrp network-id 100
[Huawei-Tunnel0/0/0]nhrp entry multicast dynamic
[Huawei-Tunnel0/0/0]nhrp entry 192.168.2.4 30.0.0.1 register
[Huawei-Tunnel0/0/0]nhrp entry 192.168.2.1 130.0.0.1 register
R4
[Huawei]int g 0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 30.0.0.1 8
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0 30.0.0.2
[Huawei]int t 0/0/0
[Huawei-Tunnel0/0/0]ip ad 192.168.2.4 24
[Huawei-Tunnel0/0/0]tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0]nhrp network-id 100
[Huawei-Tunnel0/0/0]source 30.0.0.1
[Huawei-Tunnel0/0/0]nhrp entry multicast dynamic
[Huawei-Tunnel0/0/0]nhrp entry 192.168.2.1 10.0.0.1 register
[Huawei-Tunnel0/0/0]nhrp entry 192.168.2.3 20.0.0.1 register
验证
AR1PING连接R3和R4
hub-spoke MGRE
这一环节的目的是打通分支到分支报文转发的通道,使得一端分支的报文可以借助Hub转发到另一端分支。
DSVPN在Spoke与Hub之间建立的mGRE隧道是一种静态隧道,无论Spoke与Hub间是否有流量经过,该隧道一直存在。
R1
建立以R1为中心的hub-spoke的MGRE环境
[Huawei]int g 0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 60.0.0.1 8
[Huawei-GigabitEthernet0/0/0]q
[Huawei]int t 0/0/1
[Huawei-Tunnel0/0/1]ip ad 192.168.3.1 24
[Huawei-Tunnel0/0/1]tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/1]source 60.0.0.1
[Huawei-Tunnel0/0/1]nhrp network-id 10
[Huawei-Tunnel0/0/1]nhrp entry multicast dynamic
R5
[Huawei]int g 0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 40.0.0.1 8
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0 40.0.0.2
[Huawei]int t 0/0/1
[Huawei-Tunnel0/0/1]ip ad 192.168.3.5 24
[Huawei-Tunnel0/0/1]tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/1]source 40.0.0.1
[Huawei-Tunnel0/0/1]nhrp network-id 10
[Huawei-Tunnel0/0/1]nhrp entry 192.168.3.1 60.0.0.1 register
执行命令nhrp entry protocol-address nbma-address [ register ]配置NHRP地址映射表。
R6
[Huawei]int g 0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 50.0.0.1 8
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0 50.0.0.2
[Huawei]int t 0/0/1
[Huawei-Tunnel0/0/1]ip ad 192.168.3.6 24
[Huawei-Tunnel0/0/1]tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/1]source 50.0.0.1
[Huawei-Tunnel0/0/1]nhrp network-id 10
[Huawei-Tunnel0/0/1]nhrp entry 192.168.3.1 60.0.0.1 register
验证
R1 Ping连接R5和R6的网络
查看R1的配置情况:
OSPF
OSPF(Open Shortest Path First)是IETF组织开发的一个基于链路状态的内部网关协议(Interior Gateway Protocol)。
P2MP网络类型必须是由其他的网络类型强制更改的。如果接口的网络类型是NBMA,但网络不是全连通的,必须将接口的网络类型改为P2MP。这样,两台不能直接可达的设备就可以通过一台与两者都直接可达的设备来交换路由信息。接口的网络类型改为P2MP网络后,不必再配置邻居设备。
R1
[Huawei]int lo 0
[Huawei-LoopBack0]ip ad 1.1.1.1 24
[Huawei-LoopBack0]q
[Huawei]ospf 1 router-id 1.1.1.1
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0] int t 0/0/0
[Huawei-Tunnel0/0/0]ospf network-type broadcast
[Huawei-Tunnel0/0/0] int t 0/0/1
[Huawei-Tunnel0/0/1]ospf network-type p2mp
配置结果:
R3
[Huawei]int lo 0
[Huawei-LoopBack0]ip ad 3.3.3.3 24
[Huawei-LoopBack0]q
[Huawei]ospf 1 router-id 3.3.3.3
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 3.3.3.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[Huawei]int t 0/0/0
[Huawei-Tunnel0/0/0]ospf network-type broadcast
配置结果:
R4
[Huawei]int lo 0
[Huawei-LoopBack0]ip ad 4.4.4.4 24
[Huawei-LoopBack0]q
[Huawei]ospf 1 router-id 4.4.4.4
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 4.4.4.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[Huawei]int t 0/0/0
[Huawei-Tunnel0/0/0]ospf network-type broadcast
配置结果:
R5
[Huawei]int lo 0
[Huawei-LoopBack0]ip ad 5.5.5.5 24
[Huawei-LoopBack0]q
[Huawei]ospf 1 router-id 5.5.5.5
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 5.5.5.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[Huawei]int t 0/0/1
[Huawei-Tunnel0/0/1]ospf network-type p2mp
配置结果:
R6
[Huawei]int lo 0
[Huawei-LoopBack0]ip ad 6.6.6.6 24
[Huawei-LoopBack0]q
[Huawei]ospf 1 router-id 6.6.6.6
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 6.6.6.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[Huawei]int t 0/0/1
[Huawei-Tunnel0/0/1]ospf network-type p2mp
配置结果:
验证
尝试使用PING命令连接,验证成功。
查看R1路由器OSPF节点信息: