Просмотреть исходный

Eltex Knowledge Base > DMVPN Single HUB Single Cloud (BGP, NHRP phase 3) > Снимок экрана от 2025-09-24 14-20-31.png

Задача: Организовать схему DMVPN Single HUB Single Cloud (NHRP phase 3) с использованием протокола динамической маршрутизации BGP. Для примера будем использовать адреса Loopback Spoke1 и Spoke2, т.е. при появлении трафика между споками сработает фаза 3 и трафик пойдет напрямую. Firewall выключен.

Параметры для listen-range настраиваются в отдельной peer-group, которая привязывается к соответствующему listen-range.

1.Настраиваем интерфейсы UPLink для создания ip связанности между маршрутизаторами:

HUB:
interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.1/30
exit
ip route 0.0.0.0/0 203.0.113.2

Spoke 1:
interface gigabitethernet 1/0/1
  description "ISP1"
  ip firewall disable
  ip address 203.0.113.10/30
exit
ip route 0.0.0.0/0 203.0.113.9

Spoke 2:
interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.14/30
exit
ip route 0.0.0.0/0 203.0.113.13

2. Строим IPSec over GRE. Применяем технологию DMVPN с указанием параметров протокола NHRP для использования фазы 3

HUB:

tunnel gre 1
  description "DMVPN HUB"
  ttl 255
  mtu 1416
  multipoint
  ip firewall disable
  local address 203.0.113.1
  ip address 192.0.2.1/24
  ip tcp adjust-mss 1360
  ip nhrp redirect - (механизм позволяет NHRP-серверу отслеживать не оптимальность прохождения трафика 
                      между NHRP-соседями)
  ip nhrp ipsec IPSECVPN_HUB dynamic
  ip nhrp multicast dynamic
  ip nhrp enable
  enable
exit

security ike proposal IKEPROP_HUB
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 16
exit

security ike policy IKEPOLICY_HUB
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKEPROP_HUB
exit

security ike gateway IKEGW_HUB
  version v2-only
  ike-policy IKEPOLICY_HUB
  local address 203.0.113.1
  local network 203.0.113.1/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP_HUB
  authentication algorithm sha2-512
  encryption algorithm aes256ctr
  pfs dh-group 16
exit

security ipsec policy IPSECPOLICY_HUB
  proposal IPSECPROP_HUB
exit

security ipsec vpn IPSECVPN_HUB
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_HUB
  ike ipsec-policy IPSECPOLICY_HUB
  enable
exit

Spoke 1:

tunnel gre 1
  description "To HUB"
  ttl 255
  mtu 1416
  multipoint
  ip firewall disable
  local address 203.0.113.10
  ip address 192.0.2.2/24
  ip tcp adjust-mss 1360
  ip nhrp holding-time 300
  ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями для 
                      оптимального прохождения трафика)
  ip nhrp map 192.0.2.1 203.0.113.1
  ip nhrp nhs 192.0.2.1
  ip nhrp ipsec IPSECVPN_FOR_HUB static
  ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal IKEPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 16
exit

security ike policy IKEPOLICY_SPOKE
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKEPROP_SPOKE
exit

security ike gateway IKEGW_FOR_HUB
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address 203.0.113.1
  remote network 203.0.113.1/32 protocol gre 
  mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.10
  local network 203.0.113.10/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256ctr
  pfs dh-group 16
exit

security ipsec policy IPSECPOLICY_SPOKE
  proposal IPSECPROP_SPOKE
exit

security ipsec vpn IPSECVPN_FOR_HUB
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_HUB
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_SPOKE
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit

Spoke 2:
tunnel gre 1
  description "To HUB"
  ttl 255
  mtu 1416
  multipoint
  ip firewall disable
  local address 203.0.113.14
  ip address 192.0.2.3/24
  ip tcp adjust-mss 1360
  ip nhrp holding-time 300
  ip nhrp shortcut - (приведет к созданию туннеля между NHRP-соседями 
                      для оптимального прохождения трафика)
  ip nhrp map 192.0.2.1 203.0.113.1
  ip nhrp nhs 192.0.2.1
  ip nhrp ipsec IPSECVPN_FOR_HUB static
  ip nhrp ipsec IPSECVPN_FOR_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

security ike proposal IKEPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256
  dh-group 16
exit

security ike policy IKEPOLICY_SPOKE
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKEPROP_SPOKE
exit

security ike gateway IKEGW_FOR_HUB
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.14
  local network 203.0.113.14/32 protocol gre 
  remote address 203.0.113.1
  remote network 203.0.113.1/32 protocol gre 
  mode policy-based
exit
security ike gateway IKEGW_FOR_SPOKE
  version v2-only
  ike-policy IKEPOLICY_SPOKE
  local address 203.0.113.14
  local network 203.0.113.14/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSECPROP_SPOKE
  authentication algorithm sha2-512
  encryption algorithm aes256ctr
  pfs dh-group 16
exit

security ipsec policy IPSECPOLICY_SPOKE
  proposal IPSECPROP_SPOKE
exit

security ipsec vpn IPSECVPN_FOR_HUB
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_HUB
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit
security ipsec vpn IPSECVPN_FOR_SPOKE
  type transport
  ike establish-tunnel route
  ike gateway IKEGW_FOR_SPOKE
  ike ipsec-policy IPSECPOLICY_SPOKE
  enable
exit

3. Настраиваем протокол BGP для анонсирования сетей (198.51.100.1/32 и 198.51.100.2/32) между Spoke в качестве примера работы фазы 3:

HUB:

router bgp 65001
  router-id 192.0.2.1
  peer-group DMVPN
    remote-as 65001
    route-reflector-client - (Этот атрибут указывается для соседа (peer) по BGP и означает, 
                             что данный сосед является "клиентом" отражателя.)
    address-family ipv4 unicast
      enable
    exit
  exit
  listen-range 192.0.2.0/24
    peer-group DMVPN
    enable
  exit
  enable
exit

Spoke 1:
router bgp 65001
  router-id 192.0.2.2
  neighbor 192.0.2.1
    remote-as 65001
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 198.51.100.1/32
  exit
  enable
exit

interface loopback 1
  ip address 198.51.100.1/32
exit

Spoke 2:
router bgp 65001
  router-id 192.0.2.3
  neighbor 192.0.2.1
    remote-as 65001
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 198.51.100.2/32
  exit
  enable
exit

interface loopback 1
  ip address 198.51.100.2/32
exit

Вывод диагностической информации с HUB:

HUB# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.2 203.0.113.10 gre 1 00:04:16 00,03:09:16 dynamic LCP
192.0.2.3 203.0.113.14 gre 1 00:04:14 00,03:09:18 dynamic LCP

HUB# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_HUB 203.0.113.1 203.0.113.10 0xcae05f744d8d428b 0xd5afbc7eef06d1aa Established
IPSECVPN_HUB 203.0.113.1 203.0.113.14 0xea5e34c5b61d702f 0x3299670ccada35d3 Established

HUB# show bgp neighbors
BGP neighbor is 192.0.2.2
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 192.0.2.0/24
Neighbor address: 192.0.2.2
Neighbor AS: 65001
Neighbor ID: 192.0.2.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 192.0.2.1
Weight: 0
Hold timer: 127/180
Keepalive timer: 21/60
Peer group: DMVPN
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,03:10:30
BGP neighbor is 192.0.2.3
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 192.0.2.0/24
Neighbor address: 192.0.2.3
Neighbor AS: 65001
Neighbor ID: 192.0.2.3
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop route-reflector AS4
Source address: 192.0.2.1
Weight: 0
Hold timer: 139/180
Keepalive timer: 55/60
Peer group: DMVPN
RR client: Yes
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: Yes
Uptime (d,h:m:s): 00,02:14:52

HUB# show ip route bgp
B * 198.51.100.2/32 [170/0] via 192.0.2.3 on gre 1 [bgp65001 05:33:15] (i)
B * 198.51.100.1/32 [170/0] via 192.0.2.2 on gre 1 [bgp65001 05:30:57] (i)

Вывод информации с SPOKE-1:

Spoke1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:19 static RULCP

Spoke1# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_SPOKE 203.0.113.10 203.0.113.14 0xc5680420c9aa70b8 0xc72ba7a738001529 Established
IPSECVPN_FOR_HUB 203.0.113.10 203.0.113.1 0xcae05f744d8d428b 0xd5afbc7eef06d1aa Established

Spoke1# show bgp neighbors
BGP neighbor is 192.0.2.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.0.2.1
Neighbor AS: 65001
Neighbor ID: 192.0.2.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.2
Weight: 0
Hold timer: 119/180
Keepalive timer: 5/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,03:13:15

Spoke1# show ip route bgp
B * 198.51.100.2/32 [170/0] via 192.0.2.3 on gre 1 [bgp65001 05:33:15 from 192.0.2.1] (i)

Вывод информации с SPOKE-2:

Spoke2# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:19 static RULCP

Spoke2# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSECVPN_FOR_SPOKE 203.0.113.14 203.0.113.10 0xc5680420c9aa70b8 0xc72ba7a738001529 Established
IPSECVPN_FOR_HUB 203.0.113.14 203.0.113.1 0xea5e34c5b61d702f 0x3299670ccada35d3 Established

Spoke2# show bgp neighbors
BGP neighbor is 192.0.2.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.0.2.1
Neighbor AS: 65001
Neighbor ID: 192.0.2.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.0.2.3
Weight: 0
Hold timer: 111/180
Keepalive timer: 29/60
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,02:22:25

Spoke2# show ip route bgp
B * 198.51.100.1/32 [170/0] via 192.0.2.2 on gre 1 [bgp65001 05:33:15 from 192.0.2.1] (i)

Проверка работы фазы 3 DMVPN:

Необходимо пустить трафик, например сo Spoke1 на Spoke2, можно воспользоваться утилитой ping 198.51.100.2

Spoke1# ping 198.51.100.2 source ip 198.51.100.1
PING 198.51.100.2 (198.51.100.2) from 198.51.100.1 : 56 bytes of data.
!!!!!

Spoke1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined

Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
192.0.2.1 203.0.113.1 gre 1 -- 00,00:00:19 static RULCP
192.0.2.3 203.0.113.14 gre 1 00:04:20 00,00:00:39 cached ULCP

Spoke1# show ip nhrp shortcut-routes
Network Nexthop Tunnel Expire Created
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- --------------
198.51.100.2/32 192.0.2.3 gre 1 00:03:47 00,00:01:12

Вывод команды show ip nhrp shortcut-routes показывает, что трафик пошел напрямую со Spoke1 на Spoke2 (отработала фаза 3)