Задача: Организовать схему DMVPN Single HUB Single Cloud (NHRP phase 3) с использованием протокола динамической маршрутизации OSPF. Для примера будем использовать адреса Loopback Spoke1 и Spoke2, т.е. при появлении трафика между споками сработает фаза 3 и трафик пойдет напрямую.
При настройке схемы DMVPN Dual HUB Single Cloud необходимо, чтобы HUB являлся DR-маршрутизатором. Локальные подсети SPOKE будут ретранслироваться через HUB с помощью динамической маршрутизации ospf.
Укажем на HUB приоритет ip ospf priority 150
Пример конфигурации HUB:
router ospf 1
router-id 192.0.2.1
area 0.0.0.1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.1/30
exit
tunnel gre 1
description "DMVPN HUB"
ttl 255
mtu 1416
multipoint
ip firewall disable
local address 203.0.113.1
ip address 192.0.2.1/24
ip ospf instance 1
ip ospf area 0.0.0.1
ip ospf priority 150
ip ospf
ip tcp adjust-mss 1360
ip nhrp redirect - (механизм позволяет NHRP-серверу отслеживать не оптимальность прохождения трафика
между NHRP-соседями)
ip nhrp ipsec IPSECVPN_HUB dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security ike proposal IKEPROP_HUB
authentication algorithm sha2-512
encryption algorithm aes256
dh-group 16
exit
security ike policy IKEPOLICY_HUB
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKEPROP_HUB
exit
security ike gateway IKEGW_HUB
version v2-only
ike-policy IKEPOLICY_HUB
local address 203.0.113.1
local network 203.0.113.1/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal IPSECPROP_HUB
authentication algorithm sha2-512
encryption algorithm aes256ctr
pfs dh-group 16
exit
security ipsec policy IPSECPOLICY_HUB
proposal IPSECPROP_HUB
exit
security ipsec vpn IPSECVPN_HUB
type transport
ike establish-tunnel route
ike gateway IKEGW_HUB
ike ipsec-policy IPSECPOLICY_HUB
enable
exit
ip route 0.0.0.0/0 203.0.113.2
Пример конфигурации SPOKE-1:
router ospf 1
router-id 192.0.2.2
area 0.0.0.1
network 198.51.100.1/32
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.10/30
exit
interface loopback 1
ip address 198.51.100.1/32
exit
tunnel gre 1
description "To HUB"
ttl 255
mtu 1416
multipoint
ip firewall disable
local address 203.0.113.10
ip address 192.0.2.2/24
ip ospf instance 1
ip ospf area 0.0.0.1
ip ospf
ip tcp adjust-mss 1360
ip nhrp holding-time 300
ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями для оптимального прохождения трафика)
ip nhrp map 192.0.2.1 203.0.113.1
ip nhrp nhs 192.0.2.1
ip nhrp ipsec IPSECVPN_FOR_HUB static
ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal IKEPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256
dh-group 16
exit
security ike policy IKEPOLICY_SPOKE
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKEPROP_SPOKE
exit
security ike gateway IKEGW_FOR_HUB
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address 203.0.113.1
remote network 203.0.113.1/32 protocol gre
mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal IPSECPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256ctr
pfs dh-group 16
exit
security ipsec policy IPSECPOLICY_SPOKE
proposal IPSECPROP_SPOKE
exit
security ipsec vpn IPSECVPN_FOR_HUB
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_HUB
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_SPOKE
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
ip route 0.0.0.0/0 203.0.113.9
Пример конфигурации SPOKE-2:
router ospf 1
router-id 192.0.2.3
area 0.0.0.1
network 198.51.100.2/32
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.14/30
exit
interface loopback 1
ip address 198.51.100.2/32
exit
tunnel gre 1
description "To HUB"
ttl 255
mtu 1416
multipoint
ip firewall disable
local address 203.0.113.14
ip address 192.0.2.3/24
ip ospf instance 1
ip ospf area 0.0.0.1
ip ospf
ip tcp adjust-mss 1360
ip nhrp holding-time 300
ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями для оптимального прохождения трафика)
ip nhrp map 192.0.2.1 203.0.113.1
ip nhrp nhs 192.0.2.1
ip nhrp ipsec IPSECVPN_FOR_HUB static
ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal IKEPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256
dh-group 16
exit
security ike policy IKEPOLICY_SPOKE
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKEPROP_SPOKE
exit
security ike gateway IKEGW_FOR_HUB
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address 203.0.113.1
remote network 203.0.113.1/32 protocol gre
mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal IPSECPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256ctr
pfs dh-group 16
exit
security ipsec policy IPSECPOLICY_SPOKE
proposal IPSECPROP_SPOKE
exit
security ipsec vpn IPSECVPN_FOR_HUB
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_HUB
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_SPOKE
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
ip route 0.0.0.0/0 203.0.113.13
После настроек HUB, Spoke1 и Spoke2 и наличие ip связанности между ними поднимется DMVPN.
Вывод диагностической информации с HUB-1:
HUB# show ip nhrp peers
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.2 203.0.113.10 gre 1 00:04:07 00,19:57:48 dynamic ULCP
192.0.2.3 203.0.113.14 gre 1 00:04:05 00,19:52:47 dynamic ULCP
HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_HUB 203.0.113.1 203.0.113.10 0xfb181a79b0d5fdf6 0x4b87cf2053d2a393 Established
IPSECVPN_HUB 203.0.113.1 203.0.113.14 0xc7ca4f600d6cbc3b 0x144607b8843f35a1 Established
HUB# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.3 128 Full/BDR 00:34 gre 1 192.0.2.3
192.0.2.2 128 Full/Other 00:30 gre 1 192.0.2.2
HUB# show ip route ospf
O E2 * 198.51.100.2/32 [150/1000/10000] via 192.0.2.3 on gre 1 [ospf1 08:38:10] (192.0.2.3)
O 192.0.2.0/24 [150/1000] dev gre 1 [ospf1 08:37:25 from 192.0.2.1] (192.0.2.1)
O E2 * 198.51.100.1/32 [150/1000/10000] via 192.0.2.2 on gre 1 [ospf1 08:37:25] (192.0.2.2)
Вывод информации с SPOKE-1:
Spoke1# show ip nhrp peers
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:01:06 static RLCP
Spoke1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_HUB 203.0.113.10 203.0.113.1 0xfb181a79b0d5fdf6 0x4b87cf2053d2a393 Established
IPSECVPN_FOR_SPOKE 203.0.113.10 203.0.113.14 0xc3af94b444b03799 0x4127791794136e78 Established
Spoke1# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.1 150 Full/DR 00:39 gre 1 192.0.2.1
Spoke1# show ip route ospf
O E2 * 198.51.100.2/32 [150/1000/10000] via 192.0.2.3 on gre 1 [ospf1 08:38:16] (192.0.2.3)
O 192.0.2.0/24 [150/1000] dev gre 1 [ospf1 08:37:26 from 192.0.2.1] (192.0.2.1)
Вывод информации с SPOKE-1:
Spoke2# show ip nhrp peers
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:01:14 static RLCP
Spoke2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_HUB 203.0.113.14 203.0.113.1 0xc7ca4f600d6cbc3b 0x144607b8843f35a1 Established
IPSECVPN_FOR_SPOKE 203.0.113.14 203.0.113.10 0xc3af94b444b03799 0x4127791794136e78 Established
Spoke2# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.1 150 Full/DR 00:32 gre 1 192.0.2.1
Spoke2# show ip route ospf
O 192.0.2.0/24 [150/1000] dev gre 1 [ospf1 08:38:10 from 192.0.2.1] (192.0.2.1)
O E2 * 198.51.100.1/32 [150/1000/10000] via 192.0.2.2 on gre 1 [ospf1 08:38:10] (192.0.2.2)
Проверка работы фазы 3 DMVPN:
Необходимо пустить трафик, например сo Spoke1 на Spoke2, можно воспользоваться утилитой ping 198.51.100.2
Spoke1# ping 198.51.100.2 source ip 198.51.100.1
PING 198.51.100.2 (198.51.100.2) from 198.51.100.1 : 56 bytes of data.
!!!!!
Проверяем:
Spoke1# show ip nhrp peers
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:29 static RLCP
192.0.2.3 203.0.113.14 gre 1 00:04:49 00,00:00:10 cached ULCP
Spoke1# show ip nhrp shortcut-routes
Network Nexthop Tunnel Expire Created
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- --------------
198.51.100.2/32 192.0.2.3 gre 1 00:04:37 00,00:00:22
Вывод команды show ip nhrp shortcut-routes показывает, что трафик пошел напрямую со Spoke1 на Spoke2