Author: 颖奇L’Amore

Blog: www.gem-love.com

谨以此篇Lab文章感谢我的CCIE引路人——QYT.Ender(周亚军)

其中Hub-1是R1,Spoke-1是R2,Spoke-2是R4,多点GRE是SW1

一.DMVPN的四大组成部分

1.mGRE  (Multipoint Generic Routing Encapsulation) 多点通用路由封装
2.NHRP (Next Hop  Resolution Protocol)下一跳解析协议
一个二层的客户-服务器解析协议,用于映射地址(虚拟)到一个NBMA地址(物理)。
3.Dynamic Routing Protocol 动态路由协议
支持的动态路由协议有OSPFEIGRPBGPRIPODR(已淘汰)
路由比邻只在hub-to-spoke隧道上建立,spoke-to-spoke的路由逻辑由NHRP来执行,路由协议并不监控spoke-to-spoke的状态。
4.IPsec
DMVPN依然是一种GRE over IPSEC技术,也是典型的传输模式。

二.DMVPN的配置

1.MGRE
①配置各个接口的物理地址并no shutdown接口
②mGRE上将E0/1划入Vlan10,E0/2-3划入VLAN20,并配置VLAN10和20的SVI接口,SVI.vlan10的地址是61.128.1.254,SVI.VLAN20的地址是202.100.1.254( 要保证公网IP之间的连通性,因为这是前提

mGRE(config)#int e0/1
mGRE(config-if)#switchport access vlan 10
mGRE(config)#int range e0/2 - 3
mGRE(config-if-range)#switchport access vlan 20
mGRE(config)#int vlan 10
mGRE(config-if)#ip add 61.128.1.254 255.255.255.0
mGRE(config-if)#no shutdown
mGRE(config-if)#int vlan 20
mGRE(config-if)#ip add 202.100.1.254 255.255.255.0
mGRE(config-if)#no shutdown

③使用BGP完成公网可达(HubAS为100,SpokeAS为200,ISPAS为6666)

HUB-1#sh run | s bgp
router bgp 100
neighbor 61.128.1.254 remote-as 6666

Spoke-1#sh running-config | s bgp
router bgp 200
neighbor 202.100.1.254 remote-as 6666

Spoke-2#sh run | s bgp
router bgp 200
neighbor 202.100.1.254 remote-as 6666

mGRE#sh run | s bgp
router bgp 6666
neighbor 61.128.1.100 remote-as 100
neighbor 61.128.1.100 default-originate ---下发默认路由
neighbor 202.100.1.1 remote-as 200
neighbor 202.100.1.1 default-originate
neighbor 202.100.1.2 remote-as 200
neighbor 202.100.1.2 default-originate

④配置隧道接口
在HUB和SPOKE上:

interface Tunnel0 
tunnel source Ethernet0/1  ---指定更新源,这里的接口即是连接运营商的接口 
tunnel mode gre multipoint ---隧道模式为MGRE

2.NHRP:将私网地址mapping成NBMA地址 
HUB-1:

interface Tunnel0
ip address 172.16.1.100 255.255.255.0 ----配置tunnel地址
ip nhrp authentication cisco ---认证
ip nhrp map multicast dynamic   ---HUB点支持来自客户端向HUB的动态组播报文,用以支持动态路由协议
ip nhrp network-id 10  ----所有的network-ID要保持一致

Spoke:(两个spoke除了接口地址不同外,其他配置均相同)

interface Tunnel0
ip address 172.16.1.1 255.255.255.0 ---配置地址
ip nhrp authentication cisco ---认证
ip nhrp map 172.16.1.100 61.128.1.100  ----映射NHS(next hope server 下一跳服务器)的tunnel和NBMA地址 
ip nhrp map multicast 61.128.1.100  ----映射组播包要发往的NBMA地址,不配置路由会不稳定 
ip nhrp network-id 10   ---所有的network-id建议要一致 
ip nhrp nhs 172.16.1.100   ---NHS地址 即hub的虚拟地址

3.动态路由协议 使用EIGRP
配置:

router eigrp 90
network 172.16.0.0
network 192.168.100.0 ---HUB和SPOKE都要配置 他们之间配置的唯一不同点就是身后loopback的网段宣告不同

现象:

HUB-1#p 192.168.1.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms

会发现,现在hub-spoke之间建立起了邻居,而 spoke-spoke之间却没有邻居(自然也没有路由)
解决方案:关闭水平分割,使spoke1通告到Hub后通告出去发给spoke2

HUB-1(config)#int tunnel 0
HUB-1(config-if)#no ip split-horizon eigrp 90

(注意:直接no ip split-horizon也是可以敲上去的,不过这样是针对BGPRIP 针对EIGPR要加上eigrp [AS]

Spoke-1#traceroute 192.168.2.1 source lo0 numeric
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.100 [AS 6666] 1 msec 0 msec 2 msec
2 172.16.1.2 [AS 6666] 6 msec *  1 msec

4、IPSEC

HUB、Spoke-1、Spoke-2全部如下配置:

crypto isakmp policy 10
authentication pre-share  ----预共享密钥认证
crypto isakmp key QYT address 0.0.0.0   -----因为是MA网络 所以地址0.0.0.0
crypto ipsec transform-set Trans esp-des esp-md5-hmac -----转换集
mode transport  ---配置为传输模式,默认是隧道模式
crypto ipsec profile DMVPN  ---profile模板做汇总
set transform-set Trans  ---调用转换集
interface tunnel 0
tunnel protection ipsec profile DMVPN ---tunnel接口下调用模板

至此,DMVPN配置结束
看下效果:

三.DMVPN的优化 
此时Spoke1和Spoke2通信的话,是两跳的:

Spoke-2#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.100 [AS 6666] 7 msec 6 msec 7 msec
2 172.16.1.1 [AS 6666] 6 msec

解决方法:

①可以hub上关闭下一跳自我功能:

interface Tunnel0
no ip next-hop-self eigrp 90

再次traceroute

Spoke-2#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 [AS 6666] 7 msec  ----一跳抵达

②首先hub上tunnel0接口下:

ip nhrp redirect
ip summary-address eigrp 90 192.168.0.0 255.255.0.0  ---汇总EIGRP

Spoke-1#sh ip route  eigrp
D     192.168.0.0/16 [90/27008000] via 172.16.1.100, 02:33:51, Tunnel0

然后spoke的接口下:

interface Tunnel0
ip nhrp shortcut

这样,hub会给spoke下发了汇总路由,如上所见 via是hub,当流量到达hub,hub会对他进行优化,之后spoke上会出现一条H – NHRP的路由,一跳抵达
测试:

Spoke-1# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

Spoke-1#sh ip route nhrp
H     192.168.2.0/24 [250/1] via 172.16.1.2, 00:24:22, Tunnel0

Spoke-1#traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.2 [AS 6666] 4 msec *  6 msec  一跳抵达

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/networksecurity/618.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示


颖奇L'Amore

Most of the time is also called Y1ng. Cisco Certified Internetwork Expert - Routing and Switching. CTF player for team r3kapig. Forcus on Web Security. Islamic Scholar. Be good at sleeping and fishing in troubled waters.

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

在此处输入验证码 : *

Reload Image