1. Исходные данные и описание задачи
Текущая схема сети:
Задача: Для исходной схемы DMVPN (Phase 2) необходимо подключить SPOKE-2, который использует 2 интерфейса для выхода в интернет с помощью MultiWAN, для доступа к локальной подсети 192.0.2.128/25. В качестве динамической маршрутизации в DMVPN необходимо использовать BGP. Firewall отключен.
Исходные данные: Для выхода в интернет SPOKE-2 провайдер выделил IP-адреса из подсети 203.0.113.12/30 и 203.0.113.8/30. MultiWAN будет использоваться в режиме балансировки.
Используемые алгоритмы для IKE SA:
- IKE version: 1
- Authentication algorithm: sha2-384
- Encryption algorithm: aes256cbc
- DH-group 21
Используемые алгоритмы для IPsec SA:
- Authentication algorithm: sha2-256
- Encryption algorithm: aes256cbc
- PFS DH-group 19
- Protocol: ESP
Исходная конфигурация HUB:
hostname HUB
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.1
peer-group Cloud1
remote-as 65000
route-reflector-client
update-source 198.51.100.1
address-family ipv4 unicast
enable
exit
exit
listen-range 198.51.100.0/25
peer-group Cloud1
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip address 198.51.100.1/25
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_spokes
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_spokes
type transport
ike establish-tunnel route
ike gateway ike_for_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.1 |
Исходная конфигурация SPOKE-1:
hostname SPOKE-1
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.2
neighbor 198.51.100.1
description "Cloud_1"
remote-as 65000
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 192.0.2.0/25
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.6/30
exit
interface gigabitethernet 1/0/3
ip firewall disable
ip address 192.0.2.1/25
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address 198.51.100.2/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.1 203.0.113.2
ip nhrp nhs 198.51.100.1
ip nhrp ipsec ipsec_for_hub static
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_hub
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_spokes
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_hub
type transport
ike establish-tunnel route
ike gateway ike_for_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_spokes
type transport
ike establish-tunnel route
ike gateway ike_for_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.5 |
Вывод оперативной информации со стороны HUB:
HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_for_spokes 203.0.113.2 203.0.113.6 0xc67e4e0a9f3804c0 0xd9e59bb52a0bc755 Established
HUB# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
198.51.100.2 203.0.113.6 gre 1 00:01:14 00,16:19:35 dynamic LCP
HUB# show bgp neighbors
BGP neighbor is 198.51.100.2
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 198.51.100.0/25
Neighbor address: 198.51.100.2
Neighbor AS: 65000
Neighbor ID: 198.51.100.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 198.51.100.1
Weight: 10
Hold timer: 118/180
Keepalive timer: 38/60
Peer group: Cloud1
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: out_to_Cloud1
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,16:37:26
HUB# show ip route bgp
B * 192.0.2.0/25 [170/0] via 198.51.100.2 on gre 1 [bgp65000 18:47:58] (i)
|
Вывод оперативной информации со стороны SPOKE-1:
SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_for_hub 203.0.113.6 203.0.113.2 0xc67e4e0a9f3804c0 0xd9e59bb52a0bc755 Established
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
198.51.100.1 203.0.113.2 gre 1 -- 00,00:00:12 static RULCP
SPOKE-1# show bgp neighbors
BGP neighbor is 198.51.100.1
Description: Cloud_1
BGP state: Established
Type: Static neighbor
Neighbor address: 198.51.100.1
Neighbor AS: 65000
Neighbor ID: 198.51.100.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 198.51.100.2
Weight: 0
Hold timer: 118/180
Keepalive timer: 49/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,16:38:56 |
Исходя из исходных данных и описания задачи необходимо ораганизовать подключение линков к WAN и к LAN сетям на SPOKE-2 согласно следующей схеме:
Настроим интерфейсы на SPOKE-2 согласно схеме:
Более подробная настройка MultiWAN описана в статье Технология MultiWAN |
|
В результате получим следующую таблицу маршрутизации после подключения интерфейсов согласно схеме и наличии IP-связанности со всеми интерфейсами:
|
Поскольку на SPOKE-2 используются два интерфейса для выхода в WAN, то в сторону HUB для резервировани будет построенно два tunnel GRE, то есть добавится Cloud 2. На данный момент подключим SPOKE-2 к HUB в рамках Cloud 1 через интерфейс gi1/0/1 согласно следующей схеме:
Поскольку MultiWAN используется в режиме балансировки, то GRE-пакеты могут передаваться с любого интерфейса. |
1) Настроим local PBR:
|
2) Настроим tunnel gre 1 и router bgp 65000:
|
3) Настроим IPsec:
|
Убедимся, что после применения конфигурации и наличии IP-связанности между SPOKE и HUB построился IPsec-туннель, SPOKE зарегистрировался на HUB, BGP построился и SPOKE-2 получил маршрутную информацию от HUB:
Вывод оперативной информации со стороны SPOKE-2:
|
Вывод оперативной информации со стороны HUB:
|
Поскольку DMVPN Cloud 1 работает в режиме Phase 2, то пустим пинг от SPOKE-2 в сторону SPOKE-1 и убедимся, что построится IPsec-туннель и динамический GRE-туннель между двумя SPOKE.
Вывод оперативной информации со стороны SPOKE-2:
|
Вывод оперативной информации со стороны SPOKE-1:
|
Cloud 1 является основным для подключения всех SPOKE и работает в рамках Phase 2. Поскольку со стороны SPOKE-2 используется 2-ой интерфейс для резервирования, то необходимо настроить tunnel gre 2, а именно организовать Cloud 2.
Cloud 2 будет работать исключительно в рамках Phase 1, когда трафик ходит только через HUB между SPOKE, поскольку Cloud 1 не сможет динамически построить туннели с Cloud 2. Схема будет выглядить следующим образом:
1) Настроим tunnel gre 2 и IPsec на HUB и на SPOKE.
Конфигурация IPsec на HUB будет использоваться исходная. Конфигурация tunnel gre 2 на HUB будет следующей:
|
Поскольку Cloud 2 будет работать в рамках Phase 1, то на SPOKE-2 необходимо настроить IPsec только в сторону HUB. Конфигурации ike-policy и ipsec-policy будут использоваться исходные - ike_policy и ipsec_policy.
|
Проверим построение IPsec-туннеля и регистрацию SPOKE-2 для Cloud 2.
Вывод оперативной информации со стороны SPOKE-2:
|
Вывод оперативной информации со стороны HUB:
|
2) Далее настроим маршрутизацию на SPOKE-2 и HUB.
Для Cloud 2 также будет использоваться AS 65000. На SPOKE-2 настроим BGP для neighbor 198.51.100.129 аналогично neighbor 198.51.100.1.
Поскольку Cloud 1 является основным, то необходимо сделать маршруты от Cloud 1 более приоритетными, чем маршруты от Cloud 2. Для этого настроим атрибут weigth в конфигурации neighbor 198.51.100.1.
|
На HUB необходимо учитывать то, что Cloud 2 будет работать в рамках Phase 1 и маршрутная информация должна быть через HUB. Для решения данной задачи необходимо:
- включить next-hop-self all в конфигурации AFI для peer-group Cloud2.
- настроить route-map out_Cloud1, в котором полученные маршруты от Cloud2 будут анонсироваться с next-hop самого HUB, для peer-group Cloud1
Поскольку Cloud 1 является основным, то необходимо сделать маршруты от Cloud 1 более приоритетными, чем маршруты от Cloud 2. Для этого настроим атрибут weigth в конфигурации peer-group Cloud1.
|
Вывод оперативной информации по BGP-соединению со стороны SPOKE-2 и HUB:
|
|
Схема:
Конфигурация HUB:
hostname HUB
object-group network from_Cloud2
ip address-range 198.51.100.129-198.51.100.254
exit
route-map out_Cloud1
rule 1
match ip bgp next-hop object-group from_Cloud2
action set ip bgp-next-hop 198.51.100.1
exit
exit
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.1
peer-group Cloud1
remote-as 65000
weight 10
route-reflector-client
update-source 198.51.100.1
address-family ipv4 unicast
route-map out_Cloud1 out
enable
exit
exit
peer-group Cloud2
remote-as 65000
update-source 198.51.100.129
address-family ipv4 unicast
next-hop-self all
enable
exit
exit
listen-range 198.51.100.0/25
peer-group Cloud1
enable
exit
listen-range 198.51.100.128/25
peer-group Cloud2
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip address 198.51.100.1/25
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
tunnel gre 2
key 20
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip address 198.51.100.129/25
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_spokes
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_spokes
type transport
ike establish-tunnel route
ike gateway ike_for_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.1 |
Конфигурация SPOKE-1:
hostname SPOKE-1
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.2
neighbor 198.51.100.1
description "Cloud_1"
remote-as 65000
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 192.0.2.0/25
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.6/30
exit
interface gigabitethernet 1/0/3
ip firewall disable
ip address 192.0.2.1/25
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address 198.51.100.2/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.1 203.0.113.2
ip nhrp nhs 198.51.100.1
ip nhrp ipsec ipsec_for_hub static
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_hub
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_spokes
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_hub
type transport
ike establish-tunnel route
ike gateway ike_for_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_spokes
type transport
ike establish-tunnel route
ike gateway ike_for_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.5 |
Конфигурация SPOKE-2:
hostname SPOKE-2
ip access-list extended LOCAL_1
rule 1
action permit
match source-address 203.0.113.14 255.255.255.255
enable
exit
exit
ip access-list extended LOCAL_2
rule 1
action permit
match source-address 203.0.113.10 255.255.255.255
enable
exit
exit
route-map PBR_LOCAL
rule 1
match ip access-group LOCAL_1
action set ip next-hop verify-availability 203.0.113.13 1
exit
rule 2
match ip access-group LOCAL_2
action set ip next-hop verify-availability 203.0.113.9 1
exit
exit
ip local policy route-map PBR_LOCAL
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.3
neighbor 198.51.100.1
description "Cloud_1"
remote-as 65000
weight 10
update-source 198.51.100.3
address-family ipv4 unicast
enable
exit
enable
exit
neighbor 198.51.100.129
description "Cloud_2"
remote-as 65000
update-source 198.51.100.131
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 192.0.2.128/25
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.14/30
wan load-balance nexthop 203.0.113.13
wan load-balance enable
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.10/30
wan load-balance nexthop 203.0.113.9
wan load-balance enable
exit
interface gigabitethernet 1/0/3
ip firewall disable
ip address 192.0.2.129/25
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.14
ip address 198.51.100.3/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.1 203.0.113.2
ip nhrp nhs 198.51.100.1
ip nhrp ipsec ipsec_for_hub_cloud1 static
ip nhrp ipsec ipsec_for_spokes_cloud1 dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel gre 2
key 20
ttl 255
mtu 1400
ip firewall disable
local address 203.0.113.10
remote address 203.0.113.2
ip address 198.51.100.131/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.129 203.0.113.2
ip nhrp nhs 198.51.100.129
ip nhrp ipsec ipsec_for_hub_cloud2 static
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_hub_cloud1
ike-policy ike_policy
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_hub_cloud2
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_spokes_cloud1
ike-policy ike_policy
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_hub_cloud1
type transport
ike establish-tunnel route
ike gateway ike_for_hub_cloud1
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_hub_cloud2
type transport
ike establish-tunnel route
ike gateway ike_for_hub_cloud2
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_spokes_cloud1
type transport
ike establish-tunnel route
ike gateway ike_for_spokes_cloud1
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 wan load-balance rule 1
wan load-balance rule 1
outbound interface gigabitethernet 1/0/1
outbound interface gigabitethernet 1/0/2
enable
exit |
При наличии IP-связанности, получим следующие состояния IPsec, NHRP и BGP:
HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_for_spokes 203.0.113.2 203.0.113.10 0xafe0e288bee0cf81 0xc841dbf8737f4177 Established
ipsec_for_spokes 203.0.113.2 203.0.113.14 0x88373d172b0acc01 0x24437c3d5fa8316f Established
ipsec_for_spokes 203.0.113.2 203.0.113.6 0x00b134361442f9f1 0x4fd04d0d08ecb05a Established
HUB# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
198.51.100.2 203.0.113.6 gre 1 00:01:10 00,00:09:37 dynamic LCP
198.51.100.3 203.0.113.14 gre 1 00:01:01 00,00:09:46 dynamic LCP
198.51.100.131 203.0.113.10 gre 2 00:01:00 00,00:09:47 dynamic LCP
HUB# show bgp neighbors
BGP neighbor is 198.51.100.131
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 198.51.100.128/25
Neighbor address: 198.51.100.131
Neighbor AS: 65000
Neighbor ID: 198.51.100.3
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 198.51.100.129
Weight: 0
Hold timer: 136/180
Keepalive timer: 7/60
Peer group: Cloud2
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: Yes
Next-hop unchanged: No
Uptime (d,h:m:s): 00,00:09:49
BGP neighbor is 198.51.100.3
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 198.51.100.0/25
Neighbor address: 198.51.100.3
Neighbor AS: 65000
Neighbor ID: 198.51.100.3
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 198.51.100.1
Weight: 10
Hold timer: 143/180
Keepalive timer: 22/60
Peer group: Cloud1
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: out_Cloud1
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,00:09:48
BGP neighbor is 198.51.100.2
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 198.51.100.0/25
Neighbor address: 198.51.100.2
Neighbor AS: 65000
Neighbor ID: 198.51.100.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 198.51.100.1
Weight: 10
Hold timer: 151/180
Keepalive timer: 1/60
Peer group: Cloud1
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: out_Cloud1
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,00:09:40
HUB# show bgp ipv4 unicast
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 192.0.2.0/25 198.51.100.2 -- 100 10 i
*> u 192.0.2.128/25 198.51.100.3 -- 100 10 i
* u 192.0.2.128/25 198.51.100.131 -- 100 0 i
|
SPOKE-1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_for_hub 203.0.113.6 203.0.113.2 0x00b134361442f9f1 0x4fd04d0d08ecb05a Established
SPOKE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
198.51.100.1 203.0.113.2 gre 1 -- 00,00:00:22 static RULCP
SPOKE-1# show bgp neighbors
BGP neighbor is 198.51.100.1
Description: Cloud_1
BGP state: Established
Type: Static neighbor
Neighbor address: 198.51.100.1
Neighbor AS: 65000
Neighbor ID: 198.51.100.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 198.51.100.2
Weight: 0
Hold timer: 143/180
Keepalive timer: 21/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,00:14:22
SPOKE-1# show bgp ipv4 unicast
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 192.0.2.128/25 198.51.100.3 -- 100 0 i |
SPOKE-2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
ipsec_for_hub_cloud2 203.0.113.10 203.0.113.2 0xafe0e288bee0cf81 0xc841dbf8737f4177 Established
ipsec_for_hub_cloud1 203.0.113.14 203.0.113.2 0x88373d172b0acc01 0x24437c3d5fa8316f Established
SPOKE-2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
198.51.100.1 203.0.113.2 gre 1 -- 00,00:00:09 static RULCP
198.51.100.129 203.0.113.2 gre 2 -- 00,00:00:10 static RULCNP
SPOKE-2# show bgp neighbors
BGP neighbor is 198.51.100.1
Description: Cloud_1
BGP state: Established
Type: Static neighbor
Neighbor address: 198.51.100.1
Neighbor AS: 65000
Neighbor ID: 198.51.100.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 198.51.100.3
Weight: 0
Hold timer: 136/180
Keepalive timer: 10/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,00:12:03
BGP neighbor is 198.51.100.129
Description: Cloud_2
BGP state: Established
Type: Static neighbor
Neighbor address: 198.51.100.129
Neighbor AS: 65000
Neighbor ID: 198.51.100.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 198.51.100.131
Weight: 0
Hold timer: 140/180
Keepalive timer: 14/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,00:12:05
SPOKE-2# show bgp ipv4 unicast
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 192.0.2.0/25 198.51.100.2 -- 100 10 i
* u 192.0.2.0/25 198.51.100.129 -- 100 0 i |
В результате, при передаче трафика от LAN 2 в LAN 1 построится динамический туннель в рамках Cloud 1:
|
|
Рассмотрим случай, когда 203.0.113.13 перестал быть доступным согласно схеме:
В результате недоступности 203.0.113.13 на SPOKE-1:
- маршрут по умолчанию будет доступен только через 203.0.113.9:
2025-05-16T14:47:17+00:00 %WAN-I-INSTANCE: IP interface gigabitethernet 1/0/1 last check target 203.0.113.13 failure SPOKE-2# show ip route static |
- по истечению таймеров упадет BGP-сессия и NHRP-соседство с HUB и с SPOKE-1 в рамках Cloud 1. В результате чего маршрут до 192.0.2.0/25 будет доступен через Cloud 2, а именно через HUB с IP 198.51.100.129:
|
На SPOKE-1 также пропадет соединение со SPOKE-2 и изменится маршрутная информация. Подсеть 192.0.2.128/25 будет доступна через HUB, а именно через IP-адрес 198.51.100.1:
|
Трафик между LAN будет передаваться через HUB между Cloud 1 и Cloud 2:
|
|