Пример настройки DMVPN с динамическим IP-адресом на SPOKE

В текущей статье рассмотрим пример двух схем DMVPN с динамическим IP-адресом на SPOKE:

1. HUB является DHCP-сервером для выдачи IP-адресов SPOKE.

Схема:

Задача: Организовать DMVPN Single Cloud схему с динамическими IP-адресами на SPOKE. В качестве DHCP-сервера будет выступать HUB. В качестве динамической маршрутизации для обмена маршрутной информации необходимо использовать BGP. Firewall выключен.

Решение текущей задачи состоит из следующих этапов:

1) Настроим физических интерфейсы согласно схеме:

HUB# configure
HUB(config)# interface gigabitethernet 1/0/2
HUB(config-if-gi)# ip firewall disable
HUB(config-if-gi)# ip address 203.0.113.2/30
HUB(config-if-gi)# end

SPOKE-1# configure
SPOKE-1(config)# interface gigabitethernet 1/0/2
SPOKE-1(config-if-gi)# ip firewall disable
SPOKE-1(config-if-gi)# ip address 203.0.113.6/30
SPOKE-1(config-if-gi)# end

SPOKE-2# configure
SPOKE-2(config)# interface gigabitethernet 1/0/2
SPOKE-2(config-if-gi)# ip firewall disable
SPOKE-2(config-if-gi)# ip address 203.0.113.10/30
SPOKE-2(config-if-gi)# end

2) Настроим DHCP-сервер на HUB со следующими параметрами:

- Подсеть для DHCP-сервера 192.0.2.0/24
- Диапазон адресов для DHCP-client: 192.0.2.2-192.0.2.10
- В качестве default-router укажем туннельный IP-адрес NHS.

Если на туннельном интерфейсе HUB используется security-zone, то необходимо разрешить обработку DHCP-запросов (настроить соответствующее правило в зону self):

tunnel gre 1
security-zone TUNNEL
exit

security zone-pair TUNNEL self
rule 1
action permit
match protocol udp
match source-port port-range 68
match destination-port port-range 67
enable
exit
exit

Описание команд и настройка DHCP-сервера содержится в Руководстве по эксплуатации.

HUB# configure
HUB(config)# ip dhcp-server
HUB(config)# ip dhcp-server pool DMVPN
HUB(config-dhcp-server)# network 192.0.2.0/24
HUB(config-dhcp-server)# address-range 192.0.2.2-192.0.2.10
HUB(config-dhcp-server)# end

3) Настроим туннельные интерфейсы на HUB, SPOKE-1 и SPOKE-2:

- В конфигурации HUB в качестве IP-адреса укажем статический IP-адрес 192.0.2.1.
- В конфигурации SPOKE в качестве IP-адреса укажем динамический IP-адрес, а именно ip address dhcp

Описание команд и пример настройки NHRP содержится в Руководстве по эксплуатации в разделе с настройкой DMVPN.

HUB# configure
HUB(config)# tunnel gre 1
HUB(config-gre)# ttl 255
HUB(config-gre)# mtu 1400
HUB(config-gre)# multipoint
HUB(config-gre)# ip firewall disable
HUB(config-gre)# local address 203.0.113.2
HUB(config-gre)# ip address 192.0.2.1/24
HUB(config-gre)# ip tcp adjust-mss 1360
HUB(config-gre)# ip nhrp multicast dynamic
HUB(config-gre)# ip nhrp enable
HUB(config-gre)# enable
HUB(config-gre)# end

SPOKE-1# configure
SPOKE-1(config)# tunnel gre 1
SPOKE-1(config-gre)# ttl 255
SPOKE-1(config-gre)# mtu 1400
SPOKE-1(config-gre)# multipoint
SPOKE-1(config-gre)# ip firewall disable
SPOKE-1(config-gre)# local address 203.0.113.6
SPOKE-1(config-gre)# ip address dhcp
SPOKE-1(config-gre)# ip tcp adjust-mss 1360
SPOKE-1(config-gre)# ip nhrp map 192.0.2.1 203.0.113.2
SPOKE-1(config-gre)# ip nhrp nhs 192.0.2.1/24
SPOKE-1(config-gre)# ip nhrp multicast nhs
SPOKE-1(config-gre)# ip nhrp enable
SPOKE-1(config-gre)# enable
SPOKE-1(config-gre)# end

SPOKE-2# configure
SPOKE-2(config)# tunnel gre 1
SPOKE-2(config-gre)# ttl 255
SPOKE-2(config-gre)# mtu 1400
SPOKE-2(config-gre)# multipoint
SPOKE-2(config-gre)# ip firewall disable
SPOKE-2(config-gre)# local address 203.0.113.10
SPOKE-2(config-gre)# ip address dhcp
SPOKE-2(config-gre)# ip tcp adjust-mss 1360
SPOKE-2(config-gre)# ip nhrp map 192.0.2.1 203.0.113.2
SPOKE-2(config-gre)# ip nhrp nhs 192.0.2.1/24
SPOKE-2(config-gre)# ip nhrp multicast nhs
SPOKE-2(config-gre)# ip nhrp enable
SPOKE-2(config-gre)# enable
SPOKE-2(config-gre)# end

Каждый SPOKE будет использовать свой уникальный Client-ID для получения IP-адреса у DHCP-сервера.

На данном этапе есть возможность проверить выдачу динамических IP-адресов каждому SPOKE, а также регистрацию данных SPOKE на HUB:

HUB# show ip dhcp binding
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ -------------------------------
192.0.2.2 0x00656c7465782d363831332e653237662e356463632d6772655f31 active Thursday 2024/06/06 07:18:25
192.0.2.3 0x00656c7465782d363831332e653237662e353531612d6772655f31 active Thursday 2024/06/06 07:20:26
HUB# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.2 203.0.113.6 gre 1 01:37:05 0,02:22:57 dynamic ULC
192.0.2.3 203.0.113.10 gre 1 01:37:59 0,02:22:02 dynamic ULC

SPOKE-1# show ip interfaces
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
203.0.113.6/30 gi1/0/2 Up Up static
192.0.2.2/24 gre 1 Up Up DHCP
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RULC

SPOKE-2# show ip interfaces
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
203.0.113.10/30 gi1/0/2 Up Up static
192.0.2.3/24 gre 1 Up Up DHCP
SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RULC

4) Настроим IPsec для защиты передаваемых данных:

- Со стороны HUB настроим IPsec для построения защищенных каналов со SPOKEs.
Для 1-ой фазы будем использовать алгоритмы: sha2-256, aes128, dh-group 25.
Для 2-ой фазы будем использовать алгоритмы: sha2-256, aes256. Тип инкапсуляции для 2-ой фазы: transport

Описание команд и пример настройки IPsec содержится в Руководстве по эксплуатации в разделе настройки IPsec VPN.

HUB# configure
HUB(config)# security ike proposal ike_proposal
HUB(config-ike-proposal)# authentication algorithm sha2-256
HUB(config-ike-proposal)# encryption algorithm aes128
HUB(config-ike-proposal)# dh-group 25
HUB(config-ike-proposal)# exit
HUB(config)#
HUB(config)# security ike policy ike_policy
HUB(config-ike-policy)# pre-shared-key ascii-text password
HUB(config-ike-policy)# proposal ike_proposal
HUB(config-ike-policy)# exit
HUB(config)#
HUB(config)# security ike gateway ike_gateway
HUB(config-ike-gw)# ike-policy ike_policy
HUB(config-ike-gw)# local address 203.0.113.2
HUB(config-ike-gw)# local network 203.0.113.2/32 protocol gre
HUB(config-ike-gw)# remote address any
HUB(config-ike-gw)# remote network any protocol gre
HUB(config-ike-gw)# mode policy-based
HUB(config-ike-gw)# exit
HUB(config)#
HUB(config)# security ipsec proposal ipsec_proposal
HUB(config-ipsec-proposal)# authentication algorithm sha2-256
HUB(config-ipsec-proposal)# encryption algorithm aes256
HUB(config-ipsec-proposal)# exit
HUB(config)#
HUB(config)# security ipsec policy ipsec_policy
HUB(config-ipsec-policy)# proposal ipsec_proposal
HUB(config-ipsec-policy)# exit
HUB(config)#
HUB(config)# security ipsec vpn ipsec_dynamic
HUB(config-ipsec-vpn)# type transport
HUB(config-ipsec-vpn)# ike establish-tunnel route
HUB(config-ipsec-vpn)# ike gateway ike_gateway
HUB(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
HUB(config-ipsec-vpn)# enable
HUB(config-ipsec-vpn)# exit
HUB(config)#
HUB(config)# tunnel gre 1
HUB(config-gre)# ip nhrp ipsec ipsec_dynamic dynamic
HUB(config-gre)# end

- Со стороны SPOKE настроим 2 отдельных IPsec VPN. 1-ый IPsec VPN будет необходим для построения защищенного канала между SPOKE и HUB, 2-ой IPsec VPN будет использоваться для построения защищенных каналов между SPOKEs.

Для IPsec VPN с HUB будем использовать аналогичные алгоритмы, которые использует HUB:
- Для 1-ой фазы будем использовать алгоритмы: sha2-512, aes128, dh-group 25.
- Для 2-ой фазы будем использовать алгоритмы: sha2-512, aes256. Тип инкапсуляции для 2-ой фазы: transport

Для IPsec VPN со SPOKE будем использовать следующие алгоритмы:
- Для 1-ой фазы будем использовать алгоритмы: sha2-256, aes128, dh-group 25.
- Для 2-ой фазы будем использовать алгоритмы: sha2-256, aes256. Тип инкапсуляции для 2-ой фазы: transport

SPOKE-1# configure
SPOKE-1(config)# security ike proposal ike_proposal_hub
SPOKE-1(config-ike-proposal)# authentication algorithm sha2-512
SPOKE-1(config-ike-proposal)# encryption algorithm aes128
SPOKE-1(config-ike-proposal)# dh-group 25
SPOKE-1(config-ike-proposal)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ike policy ike_policy_hub
SPOKE-1(config-ike-policy)# pre-shared-key ascii-text password
SPOKE-1(config-ike-policy)# proposal ike_proposal_hub
SPOKE-1(config-ike-policy)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ike gateway ike_gateway_hub
SPOKE-1(config-ike-gw)# ike-policy ike_policy_hub
SPOKE-1(config-ike-gw)# local address 203.0.113.6
SPOKE-1(config-ike-gw)# local network 203.0.113.6/32 protocol gre
SPOKE-1(config-ike-gw)# remote address 203.0.113.2
SPOKE-1(config-ike-gw)# remote network 203.0.113.2/32 protocol gre
SPOKE-1(config-ike-gw)# mode policy-based
SPOKE-1(config-ike-gw)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ipsec proposal ipsec_proposal_hub
SPOKE-1(config-ipsec-proposal)# authentication algorithm sha2-512
SPOKE-1(config-ipsec-proposal)# encryption algorithm aes256
SPOKE-1(config-ipsec-proposal)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ipsec policy ipsec_policy_hub
SPOKE-1(config-ipsec-policy)# proposal ipsec_proposal_hub
SPOKE-1(config-ipsec-policy)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ipsec vpn ipsec_static_hub
SPOKE-1(config-ipsec-vpn)# type transport
SPOKE-1(config-ipsec-vpn)# ike establish-tunnel route
SPOKE-1(config-ipsec-vpn)# ike gateway ike_gateway_hub
SPOKE-1(config-ipsec-vpn)# ike ipsec-policy ipsec_policy_hub
SPOKE-1(config-ipsec-vpn)# enable
SPOKE-1(config-ipsec-vpn)# exit
SPOKE-1(config)#
SPOKE-1(config)#
SPOKE-1(config)# security ike proposal ike_proposal_spoke
SPOKE-1(config-ike-proposal)# authentication algorithm sha2-256
SPOKE-1(config-ike-proposal)# encryption algorithm aes128
SPOKE-1(config-ike-proposal)# dh-group 25
SPOKE-1(config-ike-proposal)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ike policy ike_policy_spoke
SPOKE-1(config-ike-policy)# pre-shared-key ascii-text password_spoke
SPOKE-1(config-ike-policy)# proposal ike_proposal_spoke
SPOKE-1(config-ike-policy)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ike gateway ike_gateway_spoke
SPOKE-1(config-ike-gw)# ike-policy ike_policy_spoke
SPOKE-1(config-ike-gw)# local address 203.0.113.6
SPOKE-1(config-ike-gw)# local network 203.0.113.6/32 protocol gre
SPOKE-1(config-ike-gw)# remote address any
SPOKE-1(config-ike-gw)# remote network any protocol gre
SPOKE-1(config-ike-gw)# mode policy-based
SPOKE-1(config-ike-gw)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ipsec proposal ipsec_proposal_spoke
SPOKE-1(config-ipsec-proposal)# authentication algorithm sha2-256
SPOKE-1(config-ipsec-proposal)# encryption algorithm aes256
SPOKE-1(config-ipsec-proposal)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ipsec policy ipsec_policy_spoke
SPOKE-1(config-ipsec-policy)# proposal ipsec_proposal_hub
SPOKE-1(config-ipsec-policy)# exit
SPOKE-1(config)#
SPOKE-1(config)# security ipsec vpn ipsec_dynamic_spoke
SPOKE-1(config-ipsec-vpn)# type transport
SPOKE-1(config-ipsec-vpn)# ike establish-tunnel route
SPOKE-1(config-ipsec-vpn)# ike gateway ike_gateway_spoke
SPOKE-1(config-ipsec-vpn)# ike ipsec-policy ipsec_policy_spoke
SPOKE-1(config-ipsec-vpn)# enable
SPOKE-1(config-ipsec-vpn)# exit
SPOKE-1(config)#
SPOKE-1(config)# tunnel gre 1
SPOKE-1(config-gre)# ip nhrp ipsec ipsec_static_hub static
SPOKE-1(config-gre)# ip nhrp ipsec ipsec_dynamic_spoke dynamic
SPOKE-1(config-gre)# end

В конфигурации SPOKE-2 аналогичная конфигурация IPsec, отличается только конфигурация ike gateway, а именно параметры local address, local network.

SPOKE-2(config)# security ike gateway ike_gateway_hub
SPOKE-2(config-ike-gw)# ike-policy ike_policy_hub
SPOKE-2(config-ike-gw)# local address 203.0.113.10
SPOKE-2(config-ike-gw)# local network 203.0.113.10/32 protocol gre
SPOKE-2(config-ike-gw)# remote address 203.0.113.2
SPOKE-2(config-ike-gw)# remote network 203.0.113.2/32 protocol gre
SPOKE-2(config-ike-gw)# mode policy-based
SPOKE-2(config-ike-gw)# exit
SPOKE-2(config)# security ike gateway ike_gateway_spoke
SPOKE-2(config-ike-gw)# ike-policy ike_policy_spoke
SPOKE-2(config-ike-gw)# local address 203.0.113.10
SPOKE-2(config-ike-gw)# local network 203.0.113.10/32 protocol gre
SPOKE-2(config-ike-gw)# remote address any
SPOKE-2(config-ike-gw)# remote network any protocol gre
SPOKE-2(config-ike-gw)# mode policy-based
SPOKE-2(config-ike-gw)# exit

Поскольку в конфигурации IPsec VPN использует режим построения ike establish-tunnel route, то IPsec будет построен при наличии транзитного трафика, а именно между SPOKE и HUB.

HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_dynamic 203.0.113.2 203.0.113.6 0x4bd39749ec52ef69 0xa6230ffdd63dafb4 Established
ipsec_dynamic 203.0.113.2 203.0.113.10 0xb6e2e549d5454d19 0x348d247837abbc3c Established

SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static_hub 203.0.113.6 203.0.113.2 0x4bd39749ec52ef69 0xa6230ffdd63dafb4 Established

SPOKE-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static_hub 203.0.113.10 203.0.113.2 0xb6e2e549d5454d19 0x348d247837abbc3c Established

Для построения динамического туннеля между SPOKE, а также IPsec для обеспечения защищенного канала необходимо пустить транзитный трафик. Например, произведем ping туннельного IP-адреса NHC:

SPOKE-1# ping 192.0.2.3
PING 192.0.2.3 (192.0.2.3) 56 bytes of data.
.!!!!
--- 192.0.2.3 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.685/1.903/2.368/0.280 ms
SPOKE-1#
SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static_hub 203.0.113.6 203.0.113.2 0x4bd39749ec52ef69 0xa6230ffdd63dafb4 Established
ipsec_dynamic_spoke 203.0.113.6 203.0.113.10 0x3b7a385f6e9fc17e 0x6b70dea84c833eea Established
SPOKE-1#
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RULC
192.0.2.3 203.0.113.10 gre 1 01:59:25 0,00:00:34 cached ULC

SPOKE-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_static_hub 203.0.113.10 203.0.113.2 0xb6e2e549d5454d19 0x348d247837abbc3c Established
ipsec_dynamic_spoke 203.0.113.10 203.0.113.6 0x3b7a385f6e9fc17e 0x6b70dea84c833eea Established
SPOKE-2#
SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RULC
192.0.2.2 203.0.113.6 gre 1 01:58:31 0,00:01:28 cached ULC

5) Настроим BGP для текущей схемы:

- В конфигурации HUB для динамического построения BGP-сессий со SPOKEs будем использовать listen-range для подсети 192.0.2.0/24, который поддержан с версии ПО 1.23.
- В конфигурации SPOKE в качестве neighbor укажем туннельный адрес NHS (192.0.2.1).
- В текущей схеме будет использоваться internal-BGP в рамках одной AS 65001, то есть NHRP будет работать во 2-ой фазе.

Параметры для listen-range настраиваются в отдельной peer-group, которая привязывается к соответствующему listen-range.

Описание команд и пример настройки BGP содержится в Руководстве по эксплуатации в разделе маршрутизации.

HUB# configure
HUB(config)# router bgp log-neighbor-changes
HUB(config)# router bgp 65001
HUB(config-bgp)# router-id 192.0.2.1
HUB(config-bgp)# peer-group DMVPN
HUB(config-bgp-group)# remote-as 65001
HUB(config-bgp-group)# route-reflector-client
HUB(config-bgp-group)# address-family ipv4 unicast
HUB(config-bgp-group-af)# enable
HUB(config-bgp-group-af)# exit
HUB(config-bgp-group)# exit
HUB(config-bgp)# listen-range 192.0.2.0/24
HUB(config-bgp-listen)# peer-group DMVPN
HUB(config-bgp-listen)# enable
HUB(config-bgp-listen)# exit
HUB(config-bgp)# enable
HUB(config-bgp)# end

SPOKE-1# configure
SPOKE-1(config)# router bgp log-neighbor-changes
SPOKE-1(config)# router bgp 65001
SPOKE-1(config-bgp)# router-id 172.16.0.1
SPOKE-1(config-bgp)# neighbor 192.0.2.1
SPOKE-1(config-bgp-neighbor)# remote-as 65001
SPOKE-1(config-bgp-neighbor)# address-family ipv4 unicast
SPOKE-1(config-bgp-neighbor-af)# enable
SPOKE-1(config-bgp-neighbor-af)# exit
SPOKE-1(config-bgp-neighbor)# enable
SPOKE-1(config-bgp-neighbor)# exit
SPOKE-1(config-bgp)# enable
SPOKE-1(config-bgp)# end

SPOKE-2# configure
SPOKE-2(config)# router bgp log-neighbor-changes
SPOKE-2(config)# router bgp 65001
SPOKE-2(config-bgp)# router-id 172.16.0.2
SPOKE-2(config-bgp)# neighbor 192.0.2.1
SPOKE-2(config-bgp-neighbor)# remote-as 65001
SPOKE-2(config-bgp-neighbor)# address-family ipv4 unicast
SPOKE-2(config-bgp-neighbor-af)# enable
SPOKE-2(config-bgp-neighbor-af)# exit
SPOKE-2(config-bgp-neighbor)# enable
SPOKE-2(config-bgp-neighbor)# exit
SPOKE-2(config-bgp)# enable
SPOKE-2(config-bgp)# end

На данном этапе есть возможность проверить построение BGP-сессий между HUB и SPOKEs:

HUB# show bgp neighbors
BGP neighbor is 192.0.2.2
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 192.0.2.0/24
Neighbor address: 192.0.2.2
Neighbor AS: 65001
Neighbor ID: 172.16.0.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.1
Weight: 0
Hold timer: 130/180
Keepalive timer: 38/60
Peer group: DMVPN
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Uptime: 8 s
BGP neighbor is 192.0.2.3
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 192.0.2.0/24
Neighbor address: 192.0.2.3
Neighbor AS: 65001
Neighbor ID: 172.16.0.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.1
Weight: 0
Hold timer: 143/180
Keepalive timer: 41/60
Peer group: DMVPN
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Uptime: 4 s

SPOKE-1# show bgp neighbors
BGP neighbor is 192.0.2.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.0.2.1
Neighbor AS: 65001
Neighbor ID: 192.0.2.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.2
Weight: 0
Hold timer: 162/180
Keepalive timer: 0/60
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Uptime: 54 s

SPOKE-2# show bgp neighbors
BGP neighbor is 192.0.2.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.0.2.1
Neighbor AS: 65001
Neighbor ID: 192.0.2.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.3
Weight: 0
Hold timer: 151/180
Keepalive timer: 48/60
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Uptime: 61 s

2. HUB является DHCP-Relay агентом и для выдачи IP-адресов SPOKE используется внешний DHCP-server.

Задача: Организовать DMVPN Single Cloud схему с динамическими IP-адресами на SPOKE. В качестве DHCP-сервера будет использоваться сервер, доступный через IP 198.51.100.2. В качестве динамической маршрутизации для обмена маршрутной информации необходимо использовать BGP. Firewall выключен.

Решение текущей задачи состоит из следующих этапов:
1) Настройка физических интерфейсов.
2) Настройка туннельного интерфейса на HUB, а также DHCP-Relay.
3) Настройка туннельных интерфейсов SPOKE-1 и SPOKE-2.
4) Настройка BGP для текущей схемы.
5) Настройка IPsec для защиты передаваемых данных.

Все пункты, кроме 2-го будут идентичны примеру сверху. Поэтому разберем конфигурацию HUB в качестве DHCP-Relay агента.

Для начала необходимо настроить интерфейс в сторону DHCP-сервера:

HUB# configure
HUB(config)# interface gigabitethernet 1/0/8
HUB(config-if-gi)# ip firewall disable
HUB(config-if-gi)# ip address 198.51.100.1/30
HUB(config-if-gi)# end

Для настройки HUB в качестве DHCP-Relay агента необходимо использовать следующие команды:
- ip helper-address A.B.C.D, с помощью которой указывается IP DHCP-сервера, которому будут отправляться DHCP Discover пакеты, перехваченные DHCP Relay-агентом.
- ip dhcp information option-insert, с помощью которой включается вставка DHCP Relay агентом, работающим на multipoint GRE туннеле ESR в роли NHRP NHS, 82 опции в DHCP-запросы от NHRP NHC. В добавляемой опции указывается NBMA-адрес NHRP NHC.
- ip dhcp-relay, с помощью которой включается агент DHCP-relay на маршрутизаторе ESR.

Настроим туннельный интерфейс HUB:

HUB# configure
HUB(config)# tunnel gre 1
HUB(config-gre)# ttl 255
HUB(config-gre)# mtu 1400
HUB(config-gre)# multipoint
HUB(config-gre)# ip firewall disable
HUB(config-gre)# local address 203.0.113.2
HUB(config-gre)# ip dhcp information option-insert
HUB(config-gre)# ip address 192.0.2.1/24
HUB(config-gre)# ip helper-address 198.51.100.2
HUB(config-gre)# ip tcp adjust-mss 1340
HUB(config-gre)# ip nhrp ipsec ipsec_dynamic dynamic
HUB(config-gre)# ip nhrp multicast dynamic
HUB(config-gre)# ip nhrp enable
HUB(config-gre)# enable
HUB(config-gre)# exit
HUB(config)#
HUB(config)# ip dhcp-relay
HUB(config)# exit

Конфигурация туннельных интерфейсов SPOKE:

SPOKE-1# show running-config tunnels
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address dhcp
ip tcp adjust-mss 1340
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp nhs 192.0.2.1/24
ip nhrp ipsec ipsec_static_hub static
ip nhrp ipsec ipsec_dynamic_spoke dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit

SPOKE-2# show running-config tunnels
tunnel gre 1
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.10
ip address dhcp
ip tcp adjust-mss 1340
ip nhrp map 192.0.2.1 203.0.113.2
ip nhrp nhs 192.0.2.1/24
ip nhrp ipsec ipsec_static_hub static
ip nhrp ipsec ipsec_dynamic_spoke dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit

Вывод оперативной информации о получении динамических IP-адресов на SPOKE, а также вывод оперативной информации с DHCP-сервера:

SPOKE-1# show ip interfaces
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
203.0.113.6/30 gi1/0/2 Up Up static
192.0.2.3/24 gre 1 Up Up DHCP
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RULC

SPOKE-2# show ip interfaces
IP address Interface Admin Link Type
--------------------------------------------------- -------------------- ----- ----- -------
203.0.113.10/30 gi1/0/2 Up Up static
192.0.2.2/24 gre 1 Up Up DHCP
SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.2 gre 1 -- -- static RULC

DHCP-server# show ip dhcp binding
IP address MAC / Client ID Binding type Lease expires at
---------------- ------------------------------------------------------------- ------------ -------------------------------
192.0.2.3 0x00656c7465782d363831332e653237662e356463632d6772655f31 active Friday 2024/06/07 16:40:15
192.0.2.2 0x00656c7465782d363831332e653237662e353531612d6772655f31 active Friday 2024/06/07 16:42:11

3. Полные конфигурации маршрутизаторов для 1-ой схемы:

HUB

HUB# show running-config 
hostname HUB

router bgp log-neighbor-changes

router bgp 65001
  router-id 192.0.2.1
  peer-group DMVPN
    remote-as 65001
    route-reflector-client
    address-family ipv4 unicast
      enable
    exit
  exit
  listen-range 192.0.2.0/24
    peer-group DMVPN
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/8
  ip firewall disable
  ip address 198.51.100.1/30
exit

tunnel gre 1
  ttl 255
  mtu 1400
  multipoint
  ip firewall disable
  local address 203.0.113.2
  ip address 192.0.2.1/24
  ip tcp adjust-mss 1340
  ip nhrp ipsec ipsec_dynamic dynamic
  ip nhrp multicast dynamic
  ip nhrp enable
  enable
exit

security ike proposal ike_proposal
  authentication algorithm sha2-512
  encryption algorithm aes128
  dh-group 25
exit

security ike policy ike_policy
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal ike_proposal
exit

security ike gateway ike_gateway
  ike-policy ike_policy
  local address 203.0.113.2
  local network 203.0.113.2/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal ipsec_proposal
  authentication algorithm sha2-512
  encryption algorithm aes256
exit

security ipsec policy ipsec_policy
  proposal ipsec_proposal
exit

security ipsec vpn ipsec_dynamic
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway
  ike ipsec-policy ipsec_policy
  enable
exit

ip dhcp-server
ip dhcp-server pool DMVPN
  network 192.0.2.0/24
  address-range 192.0.2.2-192.0.2.10
exit

ip route 203.0.113.4/30 203.0.113.1
ip route 203.0.113.8/30 203.0.113.1

SPOKE-1

SPOKE-1# show running-config 
hostname SPOKE-1

router bgp log-neighbor-changes

router bgp 65001
  router-id 1.1.1.1
  neighbor 172.16.0.1
    remote-as 65001
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.6/30
exit

tunnel gre 1
  ttl 255
  mtu 1400
  multipoint
  ip firewall disable
  local address 203.0.113.6
  ip address dhcp
  ip tcp adjust-mss 1340
  ip nhrp map 192.0.2.1 203.0.113.2
  ip nhrp nhs 192.0.2.1/24
  ip nhrp ipsec ipsec_static_hub static
  ip nhrp ipsec ipsec_dynamic_spoke dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal ike_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes128
  dh-group 25
exit
security ike proposal ike_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes128
  dh-group 25
exit

security ike policy ike_policy_hub
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal ike_proposal_hub
exit
security ike policy ike_policy_spoke
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF422465570FB5
  proposal ike_proposal_spoke
exit

security ike gateway ike_gateway_hub
  ike-policy ike_policy_hub
  local address 203.0.113.6
  local network 203.0.113.6/32 protocol gre 
  remote address 203.0.113.2
  remote network 203.0.113.2/32 protocol gre 
  mode policy-based
exit
security ike gateway ike_gateway_spoke
  ike-policy ike_policy_spoke
  local address 203.0.113.6
  local network 203.0.113.6/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal ipsec_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes256
exit
security ipsec proposal ipsec_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes256
exit

security ipsec policy ipsec_policy_hub
  proposal ipsec_proposal_hub
exit
security ipsec policy ipsec_policy_spoke
  proposal ipsec_proposal_hub
exit

security ipsec vpn ipsec_static_hub
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_hub
  ike ipsec-policy ipsec_policy_hub
  enable
exit
security ipsec vpn ipsec_dynamic_spoke
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_spoke
  ike ipsec-policy ipsec_policy_spoke
  enable
exit

ip route 203.0.113.0/30 203.0.113.5
ip route 203.0.113.8/30 203.0.113.5

SPOKE-2

SPOKE-2# show running-config 
hostname SPOKE-2

router bgp log-neighbor-changes

router bgp 65001
  router-id 172.16.0.2
  neighbor 192.0.2.1
    remote-as 65001
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.10/30
exit

tunnel gre 1
  ttl 255
  mtu 1400
  multipoint
  ip firewall disable
  local address 203.0.113.10
  ip address dhcp
  ip tcp adjust-mss 1340
  ip nhrp map 192.0.2.1 203.0.113.2
  ip nhrp nhs 192.0.2.1/24
  ip nhrp ipsec ipsec_static_hub static
  ip nhrp ipsec ipsec_dynamic_spoke dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal ike_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes128
  dh-group 25
exit
security ike proposal ike_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes128
  dh-group 25
exit

security ike policy ike_policy_hub
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal ike_proposal_hub
exit
security ike policy ike_policy_spoke
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF422465570FB5
  proposal ike_proposal_spoke
exit

security ike gateway ike_gateway_hub
  ike-policy ike_policy_hub
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address 203.0.113.2
  remote network 203.0.113.2/32 protocol gre 
  mode policy-based
exit
security ike gateway ike_gateway_spoke
  ike-policy ike_policy_spoke
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal ipsec_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes256
exit
security ipsec proposal ipsec_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes256
exit

security ipsec policy ipsec_policy_hub
  proposal ipsec_proposal_hub
exit
security ipsec policy ipsec_policy_spoke
  proposal ipsec_proposal_hub
exit

security ipsec vpn ipsec_static_hub
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_hub
  ike ipsec-policy ipsec_policy_hub
  enable
exit
security ipsec vpn ipsec_dynamic_spoke
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_spoke
  ike ipsec-policy ipsec_policy_spoke
  enable
exit

ip route 203.0.113.0/30 203.0.113.9
ip route 203.0.113.4/30 203.0.113.9

4. Полные конфигурации маршрутизаторов для 2-ой схемы:

DHCP-server

DHCP-server# show running-config 
hostname DHCP-server

interface gigabitethernet 1/0/8
  ip firewall disable
  ip address 198.51.100.2/30
exit

ip dhcp-server
ip dhcp-server pool DMVPN
  network 192.0.2.0/24
  address-range 192.0.2.2-192.0.2.10
exit

ip route 192.0.2.0/24 198.51.100.1

HUB

HUB# show running-config 
hostname HUB

router bgp log-neighbor-changes

router bgp 65001
  router-id 192.0.2.1
  peer-group DMVPN
    remote-as 65001
    route-reflector-client
    address-family ipv4 unicast
      enable
    exit
  exit
  listen-range 192.0.2.0/24
    peer-group DMVPN
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/8
  ip firewall disable
  ip address 198.51.100.1/30
exit

tunnel gre 1
  ttl 255
  mtu 1400
  multipoint
  ip firewall disable
  local address 203.0.113.2
  ip dhcp information option-insert
  ip address 192.0.2.1/24
  ip helper-address 198.51.100.2
  ip tcp adjust-mss 1340
  ip nhrp ipsec ipsec_dynamic dynamic
  ip nhrp multicast dynamic
  ip nhrp enable
  enable
exit

security ike proposal ike_proposal
  authentication algorithm sha2-512
  encryption algorithm aes128
  dh-group 25
exit

security ike policy ike_policy
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal ike_proposal
exit

security ike gateway ike_gateway
  ike-policy ike_policy
  local address 203.0.113.2
  local network 203.0.113.2/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal ipsec_proposal
  authentication algorithm sha2-512
  encryption algorithm aes256
exit

security ipsec policy ipsec_policy
  proposal ipsec_proposal
exit

security ipsec vpn ipsec_dynamic
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway
  ike ipsec-policy ipsec_policy
  enable
exit

ip dhcp-relay

ip route 203.0.113.4/30 203.0.113.1
ip route 203.0.113.8/30 203.0.113.1

SPOKE-1

SPOKE-1# show running-config 
hostname SPOKE-1

router bgp log-neighbor-changes

router bgp 65001
  router-id 172.16.0.1
  neighbor 192.0.2.1
    remote-as 65001
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.6/30
exit

tunnel gre 1
  ttl 255
  mtu 1400
  multipoint
  ip firewall disable
  local address 203.0.113.6
  ip address dhcp
  ip tcp adjust-mss 1340
  ip nhrp map 192.0.2.1 203.0.113.2
  ip nhrp nhs 192.0.2.1/24
  ip nhrp ipsec ipsec_static_hub static
  ip nhrp ipsec ipsec_dynamic_spoke dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal ike_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes128
  dh-group 25
exit
security ike proposal ike_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes128
  dh-group 25
exit

security ike policy ike_policy_hub
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal ike_proposal_hub
exit
security ike policy ike_policy_spoke
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF422465570FB5
  proposal ike_proposal_spoke
exit

security ike gateway ike_gateway_hub
  ike-policy ike_policy_hub
  local address 203.0.113.6
  local network 203.0.113.6/32 protocol gre 
  remote address 203.0.113.2
  remote network 203.0.113.2/32 protocol gre 
  mode policy-based
exit
security ike gateway ike_gateway_spoke
  ike-policy ike_policy_spoke
  local address 203.0.113.6
  local network 203.0.113.6/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal ipsec_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes256
exit
security ipsec proposal ipsec_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes256
exit

security ipsec policy ipsec_policy_hub
  proposal ipsec_proposal_hub
exit
security ipsec policy ipsec_policy_spoke
  proposal ipsec_proposal_hub
exit

security ipsec vpn ipsec_static_hub
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_hub
  ike ipsec-policy ipsec_policy_hub
  enable
exit
security ipsec vpn ipsec_dynamic_spoke
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_spoke
  ike ipsec-policy ipsec_policy_spoke
  enable
exit

ip route 203.0.113.0/30 203.0.113.5
ip route 203.0.113.8/30 203.0.113.5

SPOKE-2

SPOKE-2# show running-config 
hostname SPOKE-2

router bgp log-neighbor-changes

router bgp 65001
  router-id 172.16.0.2
  neighbor 192.0.2.1
    remote-as 65001
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 203.0.113.10/30
exit

tunnel gre 1
  ttl 255
  mtu 1400
  multipoint
  ip firewall disable
  local address 203.0.113.10
  ip address dhcp
  ip tcp adjust-mss 1340
  ip nhrp map 192.0.2.1 203.0.113.2
  ip nhrp nhs 192.0.2.1/24
  ip nhrp ipsec ipsec_static_hub static
  ip nhrp ipsec ipsec_dynamic_spoke dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal ike_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes128
  dh-group 25
exit
security ike proposal ike_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes128
  dh-group 25
exit

security ike policy ike_policy_hub
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal ike_proposal_hub
exit
security ike policy ike_policy_spoke
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF422465570FB5
  proposal ike_proposal_spoke
exit

security ike gateway ike_gateway_hub
  ike-policy ike_policy_hub
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address 203.0.113.2
  remote network 203.0.113.2/32 protocol gre 
  mode policy-based
exit
security ike gateway ike_gateway_spoke
  ike-policy ike_policy_spoke
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal ipsec_proposal_hub
  authentication algorithm sha2-512
  encryption algorithm aes256
exit
security ipsec proposal ipsec_proposal_spoke
  authentication algorithm sha2-256
  encryption algorithm aes256
exit

security ipsec policy ipsec_policy_hub
  proposal ipsec_proposal_hub
exit
security ipsec policy ipsec_policy_spoke
  proposal ipsec_proposal_hub
exit

security ipsec vpn ipsec_static_hub
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_hub
  ike ipsec-policy ipsec_policy_hub
  enable
exit
security ipsec vpn ipsec_dynamic_spoke
  type transport
  ike establish-tunnel route
  ike gateway ike_gateway_spoke
  ike ipsec-policy ipsec_policy_spoke
  enable
exit

ip route 203.0.113.0/30 203.0.113.9
ip route 203.0.113.4/30 203.0.113.9

Дерево страниц

Пример настройки DMVPN с динамическим IP-адресом на SPOKE

1. HUB является DHCP-сервером для выдачи IP-адресов SPOKE.

1) Настроим физических интерфейсы согласно схеме:

2) Настроим DHCP-сервер на HUB со следующими параметрами:

3) Настроим туннельные интерфейсы на HUB, SPOKE-1 и SPOKE-2:

4) Настроим IPsec для защиты передаваемых данных:

5) Настроим BGP для текущей схемы:

2. HUB является DHCP-Relay агентом и для выдачи IP-адресов SPOKE используется внешний DHCP-server.

3. Полные конфигурации маршрутизаторов для 1-ой схемы:

4. Полные конфигурации маршрутизаторов для 2-ой схемы: