Задача: Организовать схему DMVPN Single HUB Single Cloud (NHRP phase 3) с использованием протокола динамической маршрутизации BGP. Для примера будем использовать адреса Loopback Spoke1 и Spoke2, т.е. при появлении трафика между споками сработает фаза 3 и трафик пойдет напрямую. Firewall выключен.
Параметры для listen-range настраиваются в отдельной peer-group, которая привязывается к соответствующему listen-range.
1.Настраиваем интерфейсы UPLink для создания ip связанности между маршрутизаторами:
HUB:
interface gigabitethernet 1/0/1 ip firewall disable ip address 203.0.113.1/30 exit
ip route 0.0.0.0/0 203.0.113.2
Spoke 1:
interface gigabitethernet 1/0/1 description "ISP1" ip firewall disable ip address 203.0.113.10/30 exit
ip route 0.0.0.0/0 203.0.113.9
Spoke 2:
interface gigabitethernet 1/0/1 ip firewall disable ip address 203.0.113.14/30 exit
ip route 0.0.0.0/0 203.0.113.13
2. Строим IPSec over GRE. Применяем технологию DMVPN с указанием параметров протокола NHRP для использования фазы 3
HUB:
tunnel gre 1
description "DMVPN HUB"
ttl 255
mtu 1416
multipoint
ip firewall disable
local address 203.0.113.1
ip address 192.0.2.1/24
ip tcp adjust-mss 1360
ip nhrp redirect - (механизм позволяет NHRP-серверу отслеживать не оптимальность прохождения трафика
между NHRP-соседями)
ip nhrp ipsec IPSECVPN_HUB dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security ike proposal IKEPROP_HUB
authentication algorithm sha2-512
encryption algorithm aes256
dh-group 16
exit
security ike policy IKEPOLICY_HUB
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKEPROP_HUB
exit
security ike gateway IKEGW_HUB
version v2-only
ike-policy IKEPOLICY_HUB
local address 203.0.113.1
local network 203.0.113.1/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal IPSECPROP_HUB
authentication algorithm sha2-512
encryption algorithm aes256ctr
pfs dh-group 16
exit
security ipsec policy IPSECPOLICY_HUB
proposal IPSECPROP_HUB
exit
security ipsec vpn IPSECVPN_HUB
type transport
ike establish-tunnel route
ike gateway IKEGW_HUB
ike ipsec-policy IPSECPOLICY_HUB
enable
exit
Spoke 1:
tunnel gre 1
description "To HUB"
ttl 255
mtu 1416
multipoint
ip firewall disable
local address 203.0.113.10
ip address 192.0.2.2/24
ip tcp adjust-mss 1360
ip nhrp holding-time 300
ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями для
оптимального прохождения трафика)
ip nhrp map 192.0.2.1 203.0.113.1
ip nhrp nhs 192.0.2.1
ip nhrp ipsec IPSECVPN_FOR_HUB static
ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal IKEPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256
dh-group 16
exit
security ike policy IKEPOLICY_SPOKE
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKEPROP_SPOKE
exit
security ike gateway IKEGW_FOR_HUB
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address 203.0.113.1
remote network 203.0.113.1/32 protocol gre
mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal IPSECPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256ctr
pfs dh-group 16
exit
security ipsec policy IPSECPOLICY_SPOKE
proposal IPSECPROP_SPOKE
exit
security ipsec vpn IPSECVPN_FOR_HUB
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_HUB
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_SPOKE
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
Spoke 2:
tunnel gre 1
description "To HUB"
ttl 255
mtu 1416
multipoint
ip firewall disable
local address 203.0.113.14
ip address 192.0.2.3/24
ip tcp adjust-mss 1360
ip nhrp holding-time 300
ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями
для оптимального прохождения трафика)
ip nhrp map 192.0.2.1 203.0.113.1
ip nhrp nhs 192.0.2.1
ip nhrp ipsec IPSECVPN_FOR_HUB static
ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal IKEPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256
dh-group 16
exit
security ike policy IKEPOLICY_SPOKE
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKEPROP_SPOKE
exit
security ike gateway IKEGW_FOR_HUB
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address 203.0.113.1
remote network 203.0.113.1/32 protocol gre
mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
version v2-only
ike-policy IKEPOLICY_SPOKE
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal IPSECPROP_SPOKE
authentication algorithm sha2-512
encryption algorithm aes256ctr
pfs dh-group 16
exit
security ipsec policy IPSECPOLICY_SPOKE
proposal IPSECPROP_SPOKE
exit
security ipsec vpn IPSECVPN_FOR_HUB
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_HUB
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
type transport
ike establish-tunnel route
ike gateway IKEGW_FOR_SPOKE
ike ipsec-policy IPSECPOLICY_SPOKE
enable
exit
3. Настраиваем протокол BGP для анонсирования сетей (198.51.100.1/32 и 198.51.100.2/32) между Spoke в качестве примера работы фазы 3:
HUB:
router bgp 65001
router-id 192.0.2.1
peer-group DMVPN
remote-as 65001
route-reflector-client - (Этот атрибут указывается для соседа (peer) по BGP и означает,
что данный сосед является "клиентом" отражателя.)
address-family ipv4 unicast
enable
exit
exit
listen-range 192.0.2.0/24
peer-group DMVPN
enable
exit
enable
exit
Spoke 1:
router bgp 65001
router-id 192.0.2.2
neighbor 192.0.2.1
remote-as 65001
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 198.51.100.1/32
exit
enable
exit
interface loopback 1
ip address 198.51.100.1/32
exit
Spoke 2:
router bgp 65001
router-id 192.0.2.3
neighbor 192.0.2.1
remote-as 65001
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 198.51.100.2/32
exit
enable
exit
interface loopback 1
ip address 198.51.100.2/32
exit
Вывод диагностической информации с HUB:
HUB# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.2 203.0.113.10 gre 1 00:04:16 00,03:09:16 dynamic LCP
192.0.2.3 203.0.113.14 gre 1 00:04:14 00,03:09:18 dynamic LCP
HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_HUB 203.0.113.1 203.0.113.10 0xcae05f744d8d428b 0xd5afbc7eef06d1aa Established
IPSECVPN_HUB 203.0.113.1 203.0.113.14 0xea5e34c5b61d702f 0x3299670ccada35d3 Established
HUB# show bgp neighbors
BGP neighbor is 192.0.2.2
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 192.0.2.0/24
Neighbor address: 192.0.2.2
Neighbor AS: 65001
Neighbor ID: 192.0.2.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 192.0.2.1
Weight: 0
Hold timer: 127/180
Keepalive timer: 21/60
Peer group: DMVPN
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,03:10:30
BGP neighbor is 192.0.2.3
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 192.0.2.0/24
Neighbor address: 192.0.2.3
Neighbor AS: 65001
Neighbor ID: 192.0.2.3
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 192.0.2.1
Weight: 0
Hold timer: 139/180
Keepalive timer: 55/60
Peer group: DMVPN
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,02:14:52
HUB# show ip route bgp
B * 198.51.100.2/32 [170/0] via 192.0.2.3 on gre 1 [bgp65001 05:33:15] (i)
B * 198.51.100.1/32 [170/0] via 192.0.2.2 on gre 1 [bgp65001 05:30:57] (i)
Вывод информации с SPOKE-1:
Spoke1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:19 static RULCP
Spoke1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_SPOKE 203.0.113.10 203.0.113.14 0xc5680420c9aa70b8 0xc72ba7a738001529 Established
IPSECVPN_FOR_HUB 203.0.113.10 203.0.113.1 0xcae05f744d8d428b 0xd5afbc7eef06d1aa Established
Spoke1# show bgp neighbors
BGP neighbor is 192.0.2.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.0.2.1
Neighbor AS: 65001
Neighbor ID: 192.0.2.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.2
Weight: 0
Hold timer: 119/180
Keepalive timer: 5/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,03:13:15
Spoke1# show ip route bgp
B * 198.51.100.2/32 [170/0] via 192.0.2.3 on gre 1 [bgp65001 05:33:15 from 192.0.2.1] (i)
Вывод информации с SPOKE-2:
Spoke2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:19 static RULCP
Spoke2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_SPOKE 203.0.113.14 203.0.113.10 0xc5680420c9aa70b8 0xc72ba7a738001529 Established
IPSECVPN_FOR_HUB 203.0.113.14 203.0.113.1 0xea5e34c5b61d702f 0x3299670ccada35d3 Established
Spoke2# show bgp neighbors
BGP neighbor is 192.0.2.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.0.2.1
Neighbor AS: 65001
Neighbor ID: 192.0.2.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.3
Weight: 0
Hold timer: 111/180
Keepalive timer: 29/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,02:22:25
Spoke2# show ip route bgp
B * 198.51.100.1/32 [170/0] via 192.0.2.2 on gre 1 [bgp65001 05:33:15 from 192.0.2.1] (i)
Проверка работы фазы 3 DMVPN:
Необходимо пустить трафик, например сo Spoke1 на Spoke2, можно воспользоваться утилитой ping 198.51.100.2
Spoke1# ping 198.51.100.2 source ip 198.51.100.1
PING 198.51.100.2 (198.51.100.2) from 198.51.100.1 : 56 bytes of data.
!!!!!
Spoke1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:19 static RULCP
192.0.2.3 203.0.113.14 gre 1 00:04:20 00,00:00:39 cached ULCP
Spoke1# show ip nhrp shortcut-routes
Network Nexthop Tunnel Expire Created
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- --------------
198.51.100.2/32 192.0.2.3 gre 1 00:03:47 00,00:01:12
Вывод команды show ip nhrp shortcut-routes показывает, что трафик пошел напрямую со Spoke1 на Spoke2 (отработала фаза 3)