Просмотреть исходный

Eltex Knowledge Base > DMVPN Single HUB Single Cloud (NHRP phase 3) > image-2025-8-5_16-47-12.png

Задача: Организовать схему DMVPN Single HUB Single Cloud (NHRP phase 3) с использованием протокола динамической маршрутизации OSPF. Для примера будем использовать адреса Loopback Spoke1 и Spoke2, т.е. при появлении трафика между споками сработает фаза 3 и трафик пойдет напрямую.

При настройке схемы DMVPN Dual HUB Single Cloud необходимо, чтобы HUB являлся DR-маршрутизатором. Локальные подсети SPOKE будут ретранслироваться через HUB с помощью динамической маршрутизации ospf.

Укажем на HUB приоритет ip ospf priority 150

Пример конфигурации HUB:

router ospf 1
  router-id 192.0.2.1
  area 0.0.0.1
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.1/30
exit

tunnel gre 1
  description "DMVPN HUB"
  ttl 255
  mtu 1416
  multipoint
  ip firewall disable
  local address 203.0.113.1
  ip address 192.0.2.1/24
  ip ospf instance 1
  ip ospf area 0.0.0.1
  ip ospf priority 150
  ip ospf
  ip tcp adjust-mss 1360
  ip nhrp redirect - (механизм позволяет NHRP-серверу отслеживать не оптимальность прохождения трафика 
между NHRP-соседями)
  ip nhrp ipsec IPSECVPN_HUB dynamic
  ip nhrp multicast dynamic
  ip nhrp enable
  enable
exit

security ike proposal IKEPROP_HUB
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 16
exit

security ike policy IKEPOLICY_HUB
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKEPROP_HUB
exit

security ike gateway IKEGW_HUB
  version v2-only
  ike-policy IKEPOLICY_HUB
  local address 203.0.113.1
  local network 203.0.113.1/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP_HUB
  authentication algorithm sha2-512
  encryption algorithm aes256ctr
  pfs dh-group 16
exit

security ipsec policy IPSECPOLICY_HUB
  proposal IPSECPROP_HUB
exit

security ipsec vpn IPSECVPN_HUB
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_HUB
  ike ipsec-policy IPSECPOLICY_HUB
  enable
exit

ip route 0.0.0.0/0 203.0.113.2

Пример конфигурации SPOKE-1:

router ospf 1
  router-id 192.0.2.2
  area 0.0.0.1
    network 198.51.100.1/32
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.10/30
exit
interface loopback 1
  ip address 198.51.100.1/32
exit

tunnel gre 1
  description "To HUB"
  ttl 255
  mtu 1416
  multipoint
  ip firewall disable
  local address 203.0.113.10
  ip address 192.0.2.2/24
  ip ospf instance 1
  ip ospf area 0.0.0.1
  ip ospf
  ip tcp adjust-mss 1360
  ip nhrp holding-time 300
  ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями для оптимального прохождения трафика)
  ip nhrp map 192.0.2.1 203.0.113.1
  ip nhrp nhs 192.0.2.1
  ip nhrp ipsec IPSECVPN_FOR_HUB static
  ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal IKEPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 16
exit

security ike policy IKEPOLICY_SPOKE
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKEPROP_SPOKE
exit

security ike gateway IKEGW_FOR_HUB
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address 203.0.113.1
  remote network 203.0.113.1/32 protocol gre 
  mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256ctr
  pfs dh-group 16
exit

security ipsec policy IPSECPOLICY_SPOKE
  proposal IPSECPROP_SPOKE
exit

security ipsec vpn IPSECVPN_FOR_HUB
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_HUB
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_SPOKE
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit

ip route 0.0.0.0/0 203.0.113.9

Пример конфигурации SPOKE-2:

router ospf 1
  router-id 192.0.2.3
  area 0.0.0.1
    network 198.51.100.2/32
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.14/30
exit
interface loopback 1
  ip address 198.51.100.2/32
exit

tunnel gre 1
  description "To HUB"
  ttl 255
  mtu 1416
  multipoint
  ip firewall disable
  local address 203.0.113.14
  ip address 192.0.2.3/24
  ip ospf instance 1
  ip ospf area 0.0.0.1
  ip ospf
  ip tcp adjust-mss 1360
  ip nhrp holding-time 300
  ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями для оптимального прохождения трафика)
  ip nhrp map 192.0.2.1 203.0.113.1
  ip nhrp nhs 192.0.2.1
  ip nhrp ipsec IPSECVPN_FOR_HUB static
  ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal IKEPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 16
exit

security ike policy IKEPOLICY_SPOKE
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKEPROP_SPOKE
exit

security ike gateway IKEGW_FOR_HUB
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.14
  local network 203.0.113.14/32 protocol gre 
  remote address 203.0.113.1
  remote network 203.0.113.1/32 protocol gre 
  mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.14
  local network 203.0.113.14/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256ctr
  pfs dh-group 16
exit

security ipsec policy IPSECPOLICY_SPOKE
  proposal IPSECPROP_SPOKE
exit

security ipsec vpn IPSECVPN_FOR_HUB
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_HUB
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_SPOKE
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit

ip route 0.0.0.0/0 203.0.113.13

После настроек HUB, Spoke1 и Spoke2 и наличие ip связанности между ними поднимется DMVPN.

Вывод диагностической информации с HUB:

HUB# show ip nhrp peers

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.2 203.0.113.10 gre 1 00:04:07 00,19:57:48 dynamic ULCP
192.0.2.3 203.0.113.14 gre 1 00:04:05 00,19:52:47 dynamic ULCP

HUB# show security ipsec vpn status

Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_HUB 203.0.113.1 203.0.113.10 0xfb181a79b0d5fdf6 0x4b87cf2053d2a393 Established
IPSECVPN_HUB 203.0.113.1 203.0.113.14 0xc7ca4f600d6cbc3b 0x144607b8843f35a1 Established

HUB# show ip ospf neighbors

Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.3 128 Full/BDR 00:34 gre 1 192.0.2.3
192.0.2.2 128 Full/Other 00:30 gre 1 192.0.2.2

HUB# show ip route ospf
O E2 * 198.51.100.2/32 [150/1000/10000] via 192.0.2.3 on gre 1 [ospf1 08:38:10] (192.0.2.3)
O 192.0.2.0/24 [150/1000] dev gre 1 [ospf1 08:37:25 from 192.0.2.1] (192.0.2.1)
O E2 * 198.51.100.1/32 [150/1000/10000] via 192.0.2.2 on gre 1 [ospf1 08:37:25] (192.0.2.2)

Вывод информации с SPOKE-1:

Spoke1# show ip nhrp peers

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:01:06 static RLCP

Spoke1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_HUB 203.0.113.10 203.0.113.1 0xfb181a79b0d5fdf6 0x4b87cf2053d2a393 Established
IPSECVPN_FOR_SPOKE 203.0.113.10 203.0.113.14 0xc3af94b444b03799 0x4127791794136e78 Established

Spoke1# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.1 150 Full/DR 00:39 gre 1 192.0.2.1

Spoke1# show ip route ospf
O E2 * 198.51.100.2/32 [150/1000/10000] via 192.0.2.3 on gre 1 [ospf1 08:38:16] (192.0.2.3)
O 192.0.2.0/24 [150/1000] dev gre 1 [ospf1 08:37:26 from 192.0.2.1] (192.0.2.1)

Вывод информации с SPOKE-2:

Spoke2# show ip nhrp peers

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:01:14 static RLCP

Spoke2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_HUB 203.0.113.14 203.0.113.1 0xc7ca4f600d6cbc3b 0x144607b8843f35a1 Established
IPSECVPN_FOR_SPOKE 203.0.113.14 203.0.113.10 0xc3af94b444b03799 0x4127791794136e78 Established

Spoke2# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.1 150 Full/DR 00:32 gre 1 192.0.2.1

Spoke2# show ip route ospf
O 192.0.2.0/24 [150/1000] dev gre 1 [ospf1 08:38:10 from 192.0.2.1] (192.0.2.1)
O E2 * 198.51.100.1/32 [150/1000/10000] via 192.0.2.2 on gre 1 [ospf1 08:38:10] (192.0.2.2)

Проверка работы фазы 3 DMVPN:

Необходимо пустить трафик, например сo Spoke1 на Spoke2, можно воспользоваться утилитой ping 198.51.100.2

Spoke1# ping 198.51.100.2 source ip 198.51.100.1
PING 198.51.100.2 (198.51.100.2) from 198.51.100.1 : 56 bytes of data.
!!!!!

Проверяем:

Spoke1# show ip nhrp peers

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:29 static RLCP
192.0.2.3 203.0.113.14 gre 1 00:04:49 00,00:00:10 cached ULCP

Spoke1# show ip nhrp shortcut-routes
Network Nexthop Tunnel Expire Created
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- --------------
198.51.100.2/32 192.0.2.3 gre 1 00:04:37 00,00:00:22

Вывод команды show ip nhrp shortcut-routes показывает, что трафик пошел напрямую со Spoke1 на Spoke2