DMVPN的特点
- 配置简单
中心站点只需要配置一次即可,增加站点无需修改中心站点配置,分支站点配置几乎相同;
- 性能好
能够实现动态mGRE隧道,数据在分支之间能够直接通信,一次加解密即可;
- 支持动态IP地址
只需要中心拥有固定IP地址,分支机构可以使用动态IP地址,甚至可以位于NAT之后;
- 提供全互联拓扑
分支机构到中心的静态mGRE隧道、分支机构之间的动态mGRE隧道;
- 零丢包能力
初始的一些报文由中心代为转发,分支之间的动态隧道建立起来之后,数据直接在分支之间传递;
- 支持分支结构到中心的组播
能够支持IP组播网络以及动态路由协议;
DMVPN的四个基本组件
- mGRE
提供通信信道;对于中心站点来说,只需要配置源地址,目标地址根据Spoke的注册报文来产生;
- NHRP
下一跳地址解析协议,主要负责分支注册、分支NBMA地址解析;C/S架构,Hub是Server,Spoke是Client;
- 动态路由协议
主要负责传递路由
- IPSec
主要负责流量加固
DMVPN实施
上拓扑!!!
配置思路:
1、接口IP地址,连接CE设备使能VRF
2、ISP内网络互通,使用OSPF
3、ISP内部署MPLS
4、部署BGP VPNV4
5、BGP创建VRF,引入直连
6、CE设备创建静态路由------Spoke与Spoke和HUB之间可以互通
7、在CE设备上开启Tunnel接口,mode为mGRE
8、在Tunnel接口下开启NHRP-------此时Tunnel接口之间可以互通
9、CE设备之间部署EIGRP,network loopback 1 IP地址------Loopback 1 之间可以互通
10、一定要在隧道可以胡同的情况下再做隧道的加密
1、PE设备上创建VRF,并绑定接口,以R3为例
R3(config)#vrf definition alextest
R3(config-vrf)#rd 1:1
R3(config-vrf)#route-target 1:1
R3(config-vrf)#address-family ipv4
R3(config-vrf-af)#exit
R3(config-vrf)#exit
R3(config)#interface ethernet 0/0
R3(config-if)#vrf forwarding alextest
R3(config-if)#ip address 13.1.1.3 255.255.255.0
2、ISP中部署OSPF,以R3为例
R3(config)#router ospf 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#exit
R3(config)#interface loopback 0
R3(config-if)#ip ospf 1 area 0
R3(config-if)#exit
R3(config)#interface ethernet 0/1
R3(config-if)#ip ospf 1 area 0
R3(config-if)#ip ospf network point-to-point
R3(config-if)#exit
R3(config)#interface ethernet 0/2
R3(config-if)#ip ospf 1 area 0
R3(config-if)#ip ospf network point-to-point
3、在R3上查看OSPF邻居
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
5.5.5.5 0 FULL/ - 00:00:30 35.1.1.5 Ethernet0/2
4.4.4.4 0 FULL/ - 00:00:36 34.1.1.4 Ethernet0/1
4、在接口上启用MPLS,以R3为例
R3(config)#interface range ethernet 0/1-2
R3(config-if-range)#mpls ip
5、查看LDP邻居
R3#show mpls ldp neighbor
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0
TCP connection: 4.4.4.4.54414 - 3.3.3.3.646
State: Oper; Msgs sent/rcvd: 9/9; Downstream
Up time: 00:00:59
LDP discovery sources:
Ethernet0/1, Src IP addr: 34.1.1.4
Addresses bound to peer LDP Ident:
34.1.1.4 4.4.4.4
Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 3.3.3.3:0
TCP connection: 5.5.5.5.60145 - 3.3.3.3.646
State: Oper; Msgs sent/rcvd: 8/8; Downstream
Up time: 00:00:47
LDP discovery sources:
Ethernet0/2, Src IP addr: 35.1.1.5
Addresses bound to peer LDP Ident:
35.1.1.5 5.5.5.5
6、在ISP中配置BGP
R3(config)#router bgp 1
R3(config-router)#no bgp default ipv4-unicast
R3(config-router)#neighbor 4.4.4.4 remote-as 1
R3(config-router)#neighbor 4.4.4.4 update-source loopback 0
R3(config-router)#neighbor 5.5.5.5 remote-as 1
R3(config-router)#neighbor 5.5.5.5 update-source loopback 0
R3(config-router)#address-family vpnv4
R3(config-router-af)#neighbor 4.4.4.4 activate
R3(config-router-af)#neighbor 5.5.5.5 activate
R3(config-router-af)#neighbor 4.4.4.4 route-reflector-client
R3(config-router-af)#neighbor 5.5.5.5 route-reflector-client
R4(config)#router bgp 1
R4(config-router)# bgp log-neighbor-changes
R4(config-router)# no bgp default ipv4-unicast
R4(config-router)# neighbor 3.3.3.3 remote-as 1
R4(config-router)# neighbor 3.3.3.3 update-source Loopback0
R4(config-router)# !
R4(config-router)# address-family ipv4
R4(config-router-af)# exit-address-family
R4(config-router)# !
R4(config-router)# address-family vpnv4
R4(config-router-af)# neighbor 3.3.3.3 activate
R4(config-router-af)# neighbor 3.3.3.3 send-community extended
R4(config-router-af)# exit-address-family
R5(config)#router bgp 1
R5(config-router)# bgp log-neighbor-changes
R5(config-router)# no bgp default ipv4-unicast
R5(config-router)# neighbor 3.3.3.3 remote-as 1
R5(config-router)# neighbor 3.3.3.3 update-source Loopback0
R5(config-router)# address-family ipv4
R5(config-router-af)# exit-address-family
R5(config-router)# address-family vpnv4
R5(config-router-af)# neighbor 3.3.3.3 activate
R5(config-router-af)# neighbor 3.3.3.3 send-community extended
R5(config-router-af)# exit-address-family
7、查看BGP邻居
R3#show bgp vpnv4 unicast all summary
BGP router identifier 3.3.3.3, local AS number 1
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4 4 1 8 8 1 0 0 00:04:03 0
5.5.5.5 4 1 6 5 1 0 0 00:03:06 0
8、在VRF里重发布直连,使ISP可以传递互联网路由
R3(config)#router bgp 1
R3(config-router)#address-family ipv4 vrf alextest
R3(config-router-af)#redistribute connected
9、在站点上配置静态路由
R1(config)#ip route 0.0.0.0 0.0.0.0 13.1.1.3
R2(config)#ip route 0.0.0.0 0.0.0.0 24.1.1.4
R6(config)#ip route 0.0.0.0 0.0.0.0 56.1.1.5
10、此时站点之间使可以联通的
R1#ping 56.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 56.1.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
R1#
R1#
R1#
R1#ping 24.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
11、此时只能说站点之间的互联网IP地址是互通的,不代表站点背后的网络是互通的
12、创建隧道接口,开启NHRP
R6(config)#interface tunnel 0
R6(config-if)#ip address 172.16.30.253 255.255.255.0
R6(config-if)#tunnel mode gre multipoint
R6(config-if)#tunnel source 56.1.1.6
R6(config-if)#ip nhrp map multicast dynamic
R6(config-if)#ip nhrp network-id 1 #开启NHRP
R1(config)#interface tunnel 0
R1(config-if)#ip address 172.16.30.1 255.255.255.0
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel source 13.1.1.1
R1(config-if)#ip nhrp map 172.16.30.253 56.1.1.6 #指定中心点的NHRP
R1(config-if)#ip nhrp map multicast 56.1.1.6 #指定所有组播流量封装
R1(config-if)#ip nhrp nhs 172.16.30.253 #指定NHRP Server
R1(config-if)#ip nhrp network-id 1 #开启NHRP
R1(config-if)#no ip nhrp shortcut #使设备工作在二阶段
R2(config)#interface Tunnel0
R2(config-if)# ip address 172.16.30.2 255.255.255.0
R2(config-if)# no ip redirects
R2(config-if)# ip nhrp map 172.16.30.253 56.1.1.6
R2(config-if)# ip nhrp map multicast 56.1.1.6
R2(config-if)# ip nhrp network-id 1
R2(config-if)# ip nhrp nhs 172.16.30.253
R2(config-if)# tunnel source 24.1.1.2
R2(config-if)# tunnel mode gre multipoint
R2(config-if)#no ip nhrp shortcut
13、在中心站点上验证NHRP
R6#show ip nhrp
172.16.30.1/32 via 172.16.30.1
Tunnel0 created 00:05:09, expire 01:54:50
Type: dynamic, Flags: unique registered used nhop
NBMA address: 13.1.1.1
172.16.30.2/32 via 172.16.30.2
Tunnel0 created 00:01:05, expire 01:58:54
Type: dynamic, Flags: unique registered used nhop
NBMA address: 24.1.1.2
14、在R1上查看NHRP
R1#show ip nhrp
172.16.30.253/32 via 172.16.30.253
Tunnel0 created 00:06:55, never expire
Type: static, Flags: used
NBMA address: 56.1.1.6
15、在R1上ping R2的隧道接口IP地址,再查看NHRP,会产生一个动态NHRP表项
R1#ping 172.16.30.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.30.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#traceroute 172.16.30.2 numeric
Type escape sequence to abort.
Tracing the route to 172.16.30.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.30.253 7 msec 1 msec 2 msec
2 172.16.30.2 7 msec * 3 msec
R1#show ip nhrp
172.16.30.1/32 via 172.16.30.1
Tunnel0 created 00:00:01, expire 01:59:58
Type: dynamic, Flags: router unique local
NBMA address: 13.1.1.1
(no-socket)
172.16.30.2/32 via 172.16.30.2
Tunnel0 created 00:00:01, expire 01:59:58
Type: dynamic, Flags: router nhop
NBMA address: 24.1.1.2
172.16.30.253/32 via 172.16.30.253
Tunnel0 created 00:07:50, never expire
Type: static, Flags: used
NBMA address: 56.1.1.6
R1#traceroute 172.16.30.2 numeric
Type escape sequence to abort.
Tracing the route to 172.16.30.2
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.30.2 2 msec * 1 msec
从上边的Tranroute可以看出,数据显示经过了HUB站点,在产生了动态NHRP映射关系之后,数据直接转发至Spoke站点了,这就是零丢包能力
16、HUB与Spoke之间配置路由协议EIGRP
R6(config)#interface loopback 1
R6(config-if)#ip address 192.1.6.1 255.255.255.255
R6(config-if)#exit
R6(config)#router eigrp 1
R6(config-router)#network 192.1.6.1 0.0.0.0
R6(config-router)#network 172.16.30.0 0.0.0.255
R1(config)#interface loopback 1
R1(config-if)#ip address 192.1.1.1 255.255.255.255
R1(config-if)#exit
R1(config)#router eigrp 1
R1(config-router)#network 192.1.1.1 0.0.0.0
R1(config-router)#network 172.16.30.0 0.0.0.255
R2(config)#interface loopback 1
R2(config-if)#ip address 192.168.2.1 255.255.255.255
R2(config-if)#exit
R2(config)#router eigrp 1
R2(config-router)#network 192.168.2.1 0.0.0.0
R2(config-router)#network 172.16.30.0 0.0.0.255
17、在HUB点查看邻居以及路由(此时Spoke站点只跟HUB点建立邻居关系,Spoke之间是没有邻居的)
R6#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.30.2 Tu0 13 00:00:53 9 1434 0 3
0 172.16.30.1 Tu0 14 00:01:58 2 1434 0 3
R6#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 56.1.1.5 to network 0.0.0.0
192.1.1.0/32 is subnetted, 1 subnets
D 192.1.1.1 [90/27008000] via 172.16.30.1, 00:02:17, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/27008000] via 172.16.30.2, 00:01:12, Tunnel0
18、此时在HUB点是可以看到所有路由的,但是在Spoke点上是没有另一个Spoke点的路由的
R1#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 13.1.1.3 to network 0.0.0.0
192.1.6.0/32 is subnetted, 1 subnets
D 192.1.6.1 [90/27008000] via 172.16.30.6, 00:04:32, Tunnel0
19、那么如何解决这个问题呢?
关闭EIGRP的吓一跳自我和水平分割即可
R6(config)#interface tunnel 0
R6(config-if)#no ip next-hop-self eigrp 1 #关闭下一跳自我
R6(config-if)#no ip split-horizon eigrp 1 #关闭水平分割
20、测试
R1#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 13.1.1.3 to network 0.0.0.0
192.1.6.0/32 is subnetted, 1 subnets
D 192.1.6.1 [90/27008000] via 172.16.30.6, 00:03:04, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/28288000] via 172.16.30.2, 00:03:01, Tunnel0
R1#traceroute 192.168.2.1 source loopback 1 numeric
Type escape sequence to abort.
Tracing the route to 192.168.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.30.2 2 msec * 1 msec
注意:此时DMVPN并没有加密,需要注意的是,一定要把隧道做通,再去做隧道的加密!!
扩展:在上文实验的基础上
1、在Spoke站点删除NHRP map
R1(config)#interface tunnel 0
R1(config-if)#no ip nhrp map 172.16.30.253 56.1.1.6
2、在Sopke和HUB点上关闭Tunnel 0 接口,再开启
3、此时会导致在R1上没有EIGRP邻居,R6上有EIGRP邻居
R1#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
R1#
R6#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.30.1 Tu0 10 00:01:08 1 5000 1 0
R6#
*Aug 4 16:18:54.960: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.30.1 (Tunnel0) is down: retry limit exceeded
R6#
*Aug 4 16:18:57.947: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.30.1 (Tunnel0) is up: new adjacency
注意:这里有Q Cnt计数,且邻居一直up,down,那就证明当前EIGRP是有问题的
分析:抓包更直接
R6#show ip nhrp
172.16.30.1/32
Tunnel0 created 00:01:02, expire 00:02:02
Type: incomplete, Flags: negative
Cache hits: 7
①R1向R6发送hello报文
②R6收到了R1的hello报文,回复update报文,并没有发出去
③因此R6产生了上述现象
所以,在配置过程中一定要注意NHRP的映射关系要配置正确
21、使用IPSec加密
需要注意两点:
①在使用IPSec加密时,隧道的源不能是指定的IP地址,要更换为接口
②配置前要把隧道关闭,配置完开启
IPsec配置一样,这里只做HUB点演示
R6(config)#crypto isakmp policy 10
R6(config-isakmp)#authentication pre-share
R6(config-isakmp)#encryption 3des
R6(config-isakmp)#group 2
R6(config-isakmp)#hash sha256
R6(config-isakmp)#exit
R6(config)#crypto isakmp key alex666 address 0.0.0.0
R6(config)#crypto ipsec transform-set Trans esp-3des esp-sha256-hmac
R6(cfg-crypto-trans)#mode transport
R6(cfg-crypto-trans)#exit
R6(config)#crypto ipsec profile alex
R6(ipsec-profile)#set transform-set Trans
R6(ipsec-profile)#exit
R6(config)#interface tunnel 0
R6(config-if)#shutdown
R6(config-if)#tunnel source ethernet 0/0
R6(config-if)#tunnel protection ipsec profile alex