Задача: Организовать схему DMVPN Dual HUB Single Cloud (NHRP phase 2) с использованием протокола динамической маршрутизации OSPF. Для построения туннелей между SPOKE в качестве транзитного трафика будем использовать адреса Loopback.
Решение:
1) При настройке схемы DMVPN Dual HUB Single Cloud необходимо, чтобы HUB-1 являлся DR-маршрутизатором, а HUB-2 являлся BDR-маршрутизатором для SPOKE-1 и SPOKE-2. Локальные подсети SPOKE будут ретранслироваться через HUB с помощью динамической маршрутизации. То есть выберем следующие приоритеты для OSPF:
- Для HUB-1 укажем ip ospf priority 255
- Для HUB-2 укажем ip ospf priority 254
- Для SPOKE-1 укажем ip ospf priority 0
- Для SPOKE-2 укажем ip ospf priority 0
2) Пример конфигураций:
При настройке схемы с двумя HUB необходимо учитывать следующие особенности:
1) Вместо ip nhrp multicast nhs необходимо явно указывать IP адрес NHS с помощью команды ip nhrp multicast A.B.C.D.
Например, для SPOKE-1 конфигурация ip nhrp multicast будет следующая:
tunnel gre 1 ip nhrp multicast 192.0.2.1 ip nhrp multicast 192.0.2.101 enableexit
2) При настройке SPOKE до каждого HUB необходимо настроить отдельный IPsec туннель.
Например, конфигурация IPsec до двух HUB на SPOKE-1 будет следующая:
tunnel gre 1 ip nhrp ipsec ipsec_hub1 static ip nhrp ipsec ipsec_hub2 staticexit
(В примерах ниже приведена полная конфигурация маршрутизаторов)
Более подробная конфигурация DMVPN приведена в документации "Руководстве по эксплуатации", в данной статье будут приложены готовые конфигурации.
Пример конфигурации HUB-1:
HUB-1# show running-config hostname HUB-1
router ospf log-adjacency-changesrouter ospf 1 router-id 192.0.2.1 area 0.0.0.1 enable exit enableexit
interface gigabitethernet 1/0/1 ip firewall disable ip address 203.0.113.2/30exittunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.2 ip address 192.0.2.1/24 ip ospf instance 1 ip ospf area 0.0.0.1 ip ospf priority 255 ip ospf ip tcp adjust-mss 1340 ip nhrp ipsec ipsec_dynamic dynamic ip nhrp multicast dynamic ip nhrp enable enableexit
security ike proposal ike_prop authentication algorithm md5 encryption algorithm aes128 dh-group 19exit
security ike policy ike_pol pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal ike_propexit
security ike gateway ike_dynamic ike-policy ike_pol local address 203.0.113.2 local network 203.0.113.2/32 protocol gre remote address any remote network any protocol gre mode policy-basedexit
security ipsec proposal ipsec_prop authentication algorithm md5 encryption algorithm aes128exit
security ipsec policy ipsec_pol proposal ipsec_propexit
security ipsec vpn ipsec_dynamic mode ike type transport ike establish-tunnel route ike gateway ike_dynamic ike ipsec-policy ipsec_pol enableexit
ip route 203.0.113.12/30 203.0.113.1ip route 203.0.113.4/30 203.0.113.1ip route 203.0.113.8/30 203.0.113.1
Пример конфигурации HUB-2:
HUB-2# show running-config hostname HUB-2
router ospf log-adjacency-changesrouter ospf 1 router-id 192.0.2.101 area 0.0.0.1 enable exit enableexit
interface gigabitethernet 1/0/1 ip firewall disable ip address 203.0.113.6/30exittunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.6 ip address 192.0.2.101/24 ip ospf instance 1 ip ospf area 0.0.0.1 ip ospf priority 254 ip ospf ip tcp adjust-mss 1340 ip nhrp map 192.0.2.1 203.0.113.2 ip nhrp nhs 192.0.2.1/24 ip nhrp multicast 192.0.2.1 ip nhrp ipsec ipsec_dynamic dynamic ip nhrp ipsec ipsec_hub1 static ip nhrp multicast dynamic ip nhrp enable enableexit
security ike proposal ike_prop authentication algorithm md5 encryption algorithm aes128 dh-group 19exit
security ike policy ike_pol pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal ike_propexit
security ike gateway ike_dynamic ike-policy ike_pol local address 203.0.113.6 local network 203.0.113.6/32 protocol gre remote address any remote network any protocol gre mode policy-basedexit
security ike gateway ike_hub1 ike-policy ike_pol local address 203.0.113.6 local network 203.0.113.6/32 protocol gre remote address 203.0.113.2 remote network 203.0.113.2/32 protocol gre mode policy-basedexit
security ipsec proposal ipsec_prop authentication algorithm md5 encryption algorithm aes128exit
security ipsec policy ipsec_pol proposal ipsec_propexit
security ipsec vpn ipsec_dynamic mode ike type transport ike establish-tunnel route ike gateway ike_dynamic ike ipsec-policy ipsec_pol enableexit
security ipsec vpn ipsec_hub1 mode ike type transport ike establish-tunnel route ike gateway ike_hub1 ike ipsec-policy ipsec_pol enableexit
ip route 203.0.113.0/30 203.0.113.5ip route 203.0.113.12/30 203.0.113.5ip route 203.0.113.8/30 203.0.113.5
Пример конфигурации SPOKE-1:
SPOKE-1# show running-config hostname SPOKE-1
router ospf log-adjacency-changesrouter ospf 1 router-id 192.0.2.2 area 0.0.0.1 network 198.51.100.1/32 enable exit enableexit
interface gigabitethernet 1/0/1 ip firewall disable ip address 203.0.113.10/30exitinterface loopback 1 ip address 198.51.100.1/32exittunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.10 ip address 192.0.2.2/24 ip ospf instance 1 ip ospf area 0.0.0.1 ip ospf priority 0 ip ospf ip tcp adjust-mss 1340 ip nhrp map 192.0.2.1 203.0.113.2 ip nhrp map 192.0.2.101 203.0.113.6 ip nhrp nhs 192.0.2.1/24 ip nhrp nhs 192.0.2.101/24 ip nhrp multicast 192.0.2.1 ip nhrp multicast 192.0.2.101 ip nhrp ipsec ipsec_hub1 static ip nhrp ipsec ipsec_hub2 static ip nhrp ipsec ipsec_dynamic dynamic ip nhrp enable enableexit
security ike proposal ike_prop authentication algorithm md5 encryption algorithm aes128 dh-group 19exit
security ike policy ike_pol pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal ike_propexit
security ike gateway ike_dynamic ike-policy ike_pol local address 203.0.113.10 local network 203.0.113.10/32 protocol gre remote address any remote network any protocol gre mode policy-basedexit
security ike gateway ike_hub1 ike-policy ike_pol local address 203.0.113.10 local network 203.0.113.10/32 protocol gre remote address 203.0.113.2 remote network 203.0.113.2/32 protocol gre mode policy-basedexit
security ike gateway ike_hub2 ike-policy ike_pol local address 203.0.113.10 local network 203.0.113.10/32 protocol gre remote address 203.0.113.6 remote network 203.0.113.6/32 protocol gre mode policy-basedexit
security ipsec proposal ipsec_prop authentication algorithm md5 encryption algorithm aes128exit
security ipsec policy ipsec_pol proposal ipsec_propexit
security ipsec vpn ipsec_dynamic mode ike type transport ike establish-tunnel route ike gateway ike_dynamic ike ipsec-policy ipsec_pol enableexit
security ipsec vpn ipsec_hub1 mode ike type transport ike establish-tunnel route ike gateway ike_hub1 ike ipsec-policy ipsec_pol enableexit
security ipsec vpn ipsec_hub2 mode ike type transport ike establish-tunnel route ike gateway ike_hub2 ike ipsec-policy ipsec_pol enableexit
ip route 203.0.113.0/30 203.0.113.9ip route 203.0.113.12/30 203.0.113.9ip route 203.0.113.4/30 203.0.113.9
Пример конфигурации SPOKE-2:
SPOKE-2# show running-config hostname SPOKE-2
router ospf log-adjacency-changesrouter ospf 1 router-id 192.0.2.3 area 0.0.0.1 network 198.51.100.2/32 enable exit enableexit
interface gigabitethernet 1/0/1 ip firewall disable ip address 203.0.113.14/30exitinterface loopback 1 ip address 198.51.100.2/32exittunnel gre 1 ttl 255 mtu 1400 multipoint ip firewall disable local address 203.0.113.14 ip address 192.0.2.3/24 ip ospf instance 1 ip ospf area 0.0.0.1 ip ospf priority 0 ip ospf ip tcp adjust-mss 1340 ip nhrp map 192.0.2.1 203.0.113.2 ip nhrp map 192.0.2.101 203.0.113.6 ip nhrp nhs 192.0.2.1/24 ip nhrp nhs 192.0.2.101/24 ip nhrp multicast 192.0.2.1 ip nhrp multicast 192.0.2.101 ip nhrp ipsec ipsec_hub1 static ip nhrp ipsec ipsec_hub2 static ip nhrp ipsec ipsec_dynamic dynamic ip nhrp enable enableexit
security ike proposal ike_prop authentication algorithm md5 encryption algorithm aes128 dh-group 19exit
security ike policy ike_pol pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal ike_propexit
security ike gateway ike_dynamic ike-policy ike_pol local address 203.0.113.14 local network 203.0.113.14/32 protocol gre remote address any remote network any protocol gre mode policy-basedexit
security ike gateway ike_hub1 ike-policy ike_pol local address 203.0.113.14 local network 203.0.113.14/32 protocol gre remote address 203.0.113.2 remote network 203.0.113.2/32 protocol gre mode policy-basedexit
security ike gateway ike_hub2 ike-policy ike_pol local address 203.0.113.14 local network 203.0.113.14/32 protocol gre remote address 203.0.113.6 remote network 203.0.113.6/32 protocol gre mode policy-basedexit
security ipsec proposal ipsec_prop authentication algorithm md5 encryption algorithm aes128exit
security ipsec policy ipsec_pol proposal ipsec_propexit
security ipsec vpn ipsec_dynamic mode ike type transport ike establish-tunnel route ike gateway ike_dynamic ike ipsec-policy ipsec_pol enableexit
security ipsec vpn ipsec_hub1 mode ike type transport ike establish-tunnel route ike gateway ike_hub1 ike ipsec-policy ipsec_pol enableexit
security ipsec vpn ipsec_hub2 mode ike type transport ike establish-tunnel route ike gateway ike_hub2 ike ipsec-policy ipsec_pol enableexit
ip route 203.0.113.0/30 203.0.113.13ip route 203.0.113.4/30 203.0.113.13ip route 203.0.113.8/30 203.0.113.13
3) В результате, после настройки маршрутизаторов HUB-1, HUB-2, SPOKE-1, SPOKE-2 и наличия IP-связанности между ними (NBMA адреса пингуются) маршрутизатор HUB-1 будет DR, маршрутизатор HUB-2 будет BDR для SPOKE-1 и SPOKE-2.
Вывод информации с HUB-1:
HUB-1# show ip nhrp Tunnel address NBMA address Interface Peer type Expire Created Flags ---------------- ---------------- --------- --------------- --------- ---------- --------- 192.0.2.2 203.0.113.10 gre 1 dynamic 1:44:37 00:55:23 lower-up, up
192.0.2.3 203.0.113.14 gre 1 dynamic 1:45:31 00:54:29 lower-up, up
192.0.2.101 203.0.113.6 gre 1 dynamic 1:44:01 00:55:59 lower-up, up
HUB-1# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_dynamic 203.0.113.2 203.0.113.6 0x79f44425880fb6f8 0x566538285b927b0c Established ipsec_dynamic 203.0.113.2 203.0.113.10 0x0139f6b396742b29 0x46aa374a4339902b Established ipsec_dynamic 203.0.113.2 203.0.113.14 0x35033b07d5f15b37 0x441b324f4cf53e1d Established
HUB-1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP--------- --- ----- ----- ----------------- ---------192.0.2.101 254 Full/BDR 00:33 gre 1 192.0.2.101192.0.2.2 0 Full/Other 00:39 gre 1 192.0.2.2192.0.2.3 0 Full/Other 00:32 gre 1 192.0.2.3
HUB-1# show ip route ospf O E2 * 198.51.100.2/32 [150/10/10000] via 192.0.2.3 on gre 1 [ospf1 20:49:08] (192.0.2.3)O 192.0.2.0/24 [150/10] dev gre 1 [ospf1 17:53:06] (192.0.2.1)O E2 * 198.51.100.1/32 [150/10/10000] via 192.0.2.2 on gre 1 [ospf1 20:48:08] (192.0.2.2)
Вывод информации с HUB-2:
HUB-2# show ip nhrp Tunnel address NBMA address Interface Peer type Expire Created Flags ---------------- ---------------- --------- --------------- --------- ---------- --------- 192.0.2.1 203.0.113.2 gre 1 static -- -- register, lower-up, up
192.0.2.2 203.0.113.10 gre 1 dynamic 1:37:03 01:03:30 lower-up, up
192.0.2.3 203.0.113.14 gre 1 dynamic 1:37:57 01:02:03 lower-up, up
HUB-2# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_hub1 203.0.113.6 203.0.113.2 0x79f44425880fb6f8 0x566538285b927b0c Established ipsec_dynamic 203.0.113.6 203.0.113.10 0x689b46d91db53f70 0xe20002a6d5583ce0 Established ipsec_dynamic 203.0.113.6 203.0.113.14 0x1ad71b91b31b5051 0x37ada9a23a92d23e Established
HUB-2# show ip ospf neighbors Router ID Pri State DTime Interface Router IP--------- --- ----- ----- ----------------- ---------192.0.2.2 0 Full/Other 00:34 gre 1 192.0.2.2192.0.2.3 0 Full/Other 00:37 gre 1 192.0.2.3192.0.2.1 255 Full/DR 00:32 gre 1 192.0.2.1
HUB-2# show ip route ospf O E2 * 198.51.100.2/32 [150/10/10000] via 192.0.2.3 on gre 1 [ospf1 22:22:07] (192.0.2.3)O 192.0.2.0/24 [150/10] dev gre 1 [ospf1 22:20:41] (192.0.2.1)O E2 * 198.51.100.1/32 [150/10/10000] via 192.0.2.2 on gre 1 [ospf1 22:21:07] (192.0.2.2)
Вывод информации с SPOKE-1:
SPOKE-1# show ip nhrp Tunnel address NBMA address Interface Peer type Expire Created Flags ---------------- ---------------- --------- --------------- --------- ---------- --------- 192.0.2.1 203.0.113.2 gre 1 static -- -- register, lower-up, up
192.0.2.101 203.0.113.6 gre 1 static -- -- register, lower-up, up
SPOKE-1# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_hub2 203.0.113.10 203.0.113.6 0x689b46d91db53f70 0xe20002a6d5583ce0 Established ipsec_hub1 203.0.113.10 203.0.113.2 0x0139f6b396742b29 0x46aa374a4339902b Established
SPOKE-1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP--------- --- ----- ----- ----------------- ---------192.0.2.1 255 Full/DR 00:35 gre 1 192.0.2.1192.0.2.101 254 Full/BDR 00:30 gre 1 192.0.2.101
SPOKE-1# show ip route ospf O E2 * 198.51.100.2/32 [150/10/10000] via 192.0.2.3 on gre 1 [ospf1 09:53:19] (192.0.2.3)O 192.0.2.0/24 [150/10] dev gre 1 [ospf1 09:52:19] (192.0.2.1)
Вывод информации с SPOKE-2:
SPOKE-2# show ip nhrp Tunnel address NBMA address Interface Peer type Expire Created Flags ---------------- ---------------- --------- --------------- --------- ---------- --------- 192.0.2.1 203.0.113.2 gre 1 static -- -- register, lower-up, up
192.0.2.101 203.0.113.6 gre 1 static -- -- register, lower-up, up
SPOKE-2# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_hub2 203.0.113.14 203.0.113.6 0x1ad71b91b31b5051 0x37ada9a23a92d23e Established ipsec_hub1 203.0.113.14 203.0.113.2 0x35033b07d5f15b37 0x441b324f4cf53e1d Established
SPOKE-2# show ip ospf neighbors Router ID Pri State DTime Interface Router IP--------- --- ----- ----- ----------------- ---------192.0.2.101 254 Full/BDR 00:31 gre 1 192.0.2.101192.0.2.1 255 Full/DR 00:36 gre 1 192.0.2.1
SPOKE-2# show ip route ospf O 192.0.2.0/24 [150/10] dev gre 1 [ospf1 13:06:05] (192.0.2.1)O E2 * 198.51.100.1/32 [150/10/10000] via 192.0.2.2 on gre 1 [ospf1 13:06:05] (192.0.2.2)
4) Поскольку HUB-1 является DR, то трафик между SPOKE изначально будет доступен через HUB-1. Если передать трафик со SPOKE-2 до IP-адреса 198.51.100.1, который относится к Loopback SPOKE-1, то между SPOKE построится динамический туннель:
SPOKE-2# ping 198.51.100.1PING 198.51.100.1 (198.51.100.1) 56 bytes of data.!.!!!--- 198.51.100.1 ping statistics ---5 packets transmitted, 4 received, 20% packet loss, time 4005msrtt min/avg/max/mdev = 0.324/0.605/1.177/0.341 ms
SPOKE-2# show ip nhrp Tunnel address NBMA address Interface Peer type Expire Created Flags ---------------- ---------------- --------- --------------- --------- ---------- --------- 192.0.2.1 203.0.113.2 gre 1 static -- -- register, lower-up, up
192.0.2.2 203.0.113.10 gre 1 cached 1:59:51 00:00:08 used, lower-up, up
192.0.2.101 203.0.113.6 gre 1 static -- -- register, lower-up, up
SPOKE-2# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec_hub2 203.0.113.14 203.0.113.6 0x1ad71b91b31b5051 0x37ada9a23a92d23e Established ipsec_hub1 203.0.113.14 203.0.113.2 0x35033b07d5f15b37 0x441b324f4cf53e1d Established ipsec_dynamic 203.0.113.14 203.0.113.10 0xb25c197a715bd918 0x82523d600189f277 Established
5) Если доступность до HUB-1 пропадает, то HUB-2 станет DR и трафик между SPOKE изначально будет доступен через HUB-2.
Например, упадет линк на HUB-1:
HUB-1# 1970-02-01T22:05:57+00:00 %LINK-W-DOWN: gigabitethernet 1/0/1 changed state to down
Тогда на SPOKE HUB-2 станет DR-маршрутизатором:
2023-03-31T11:10:37+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from Full to Down2023-03-31T11:10:37+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 removed
SPOKE-1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP--------- --- ----- ----- ----------------- ---------
192.0.2.101 254 Full/DR 00:33 gre 1 192.0.2.1012
6) Если вернуть HUB-1 в схему, то произойдет перестроение и HUB-1 станет DR, а HUB-2 BDR:
Вывод информации с SPOKE-1:
2023-03-31T11:13:07+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from Down to Init2023-03-31T11:13:09+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from Init to 2-Way2023-03-31T11:13:09+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.101 on gre 1 changed state from Full to 2-Way2023-03-31T11:13:09+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from 2-Way to ExStart2023-03-31T11:13:09+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from ExStart to Exchange2023-03-31T11:13:09+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from Exchange to Loading2023-03-31T11:13:09+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on gre 1 changed state from Loading to Full2023-03-31T11:13:12+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.101 on gre 1 changed state from 2-Way to ExStart2023-03-31T11:13:12+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.101 on gre 1 changed state from ExStart to Exchange2023-03-31T11:13:12+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.101 on gre 1 changed state from Exchange to Full
SPOKE-1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP--------- --- ----- ----- ----------------- ---------192.0.2.101 254 Full/BDR 00:31 gre 1 192.0.2.101192.0.2.1 255 Full/DR 00:36 gre 1 192.0.2.1