【实验】DMVPN + IPSec + Multicast
本帖最后由 小乔 于 2022-12-9 10:59 编辑实验需求:IOU1相当于Internet,IOU2/3/4之间配置DMVPN+IPSec,然后IOU2/3/4/5/6/7之间通过tunnel开启EIGRP实现互通,最后IOU6和IOU7加入组播组 232.1.1.1,IOU5 ping 232.1.1.1能通。
实验环境:操作系统:Mac OS X 10.11.4(当时最新正式版),模拟器:GNS3 IOU for Mac 1.4.5(当时最新版本)
注:当然,只要有思科模拟器都可以做这个实验
实验步骤:
1、IP地址规划
IOU1:
conf t
int l 0
ip add 1.1.1.1 255.255.255.255int e 0/0
ip add 12.1.1.1 255.255.255.0
no shint e 0/1
ip add 13.1.1.1 255.255.255.0
no shint e 0/2
ip add 14.1.1.1 255.255.255.0
no shIOU2:
conf t
int l 0
ip add 2.2.2.2 255.255.255.255int e 0/0
ip add 12.1.1.2 255.255.255.0
no shint e 0/1
ip add 192.168.2.2 255.255.255.0
no sh
IOU3:
conf t
int l 0
ip add 3.3.3.3 255.255.255.255int e 0/1
ip add 13.1.1.3 255.255.255.0
no shint e 0/0
ip add 192.168.3.3 255.255.255.0
no shIOU4:
conf t
int l 0
ip add 4.4.4.4 255.255.255.255int e 0/2
ip add 14.1.1.4 255.255.255.0
no shint e 0/0
ip add 192.168.4.4 255.255.255.0
no sh
IOU5:
conf t
int l 0
ip add 10.5.5.5 255.255.255.255int e 0/1
ip add 192.168.2.5 255.255.255.0
no shIOU6:
conf t
int l 0
ip add 10.6.6.6 255.255.255.255int e 0/0
ip add 192.168.3.6 255.255.255.0
no shIOU7:
conf t
int l 0
ip add 10.7.7.7 255.255.255.255int e 0/0
ip add 192.168.4.7 255.255.255.0
no shrouter eigrp 234
no au
net 10.7.7.7 0.0.0.0
net 192.168.4.7 0.0.0.0
2、配置Internet的部分,让IOU2/3/4通过IOU1互通:
IOU1:
router bgp 1
bgp router-id 1.1.1.1
nei 12.1.1.2 remot 2
nei 13.1.1.3 remot 3
nei 14.1.1.4 remot 4
net 12.1.1.0 mask 255.255.255.0
net 13.1.1.0 mask 255.255.255.0
net 14.1.1.0 mask 255.255.255.0IOU2:
router bgp 2
bgp router-id 2.2.2.2
nei 12.1.1.1 remot 1
IOU3:
router bgp 3
bgp router-id 3.3.3.3
nei 13.1.1.1 remot 1IOU4:
router bgp 4
bgp router-id 4.4.4.4
nei 14.1.1.1 remot 1
3、配置Tunnel和IPsec:
IOU2:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE.LOL address 0.0.0.0
crypto ipsec transform-set CCIE esp-3des
mode transport
crypto ipsec profile CCIE
set transform-set CCIEinterface Tunnel0
ip address 10.234.2.2 255.255.0.0
tunnel source Ethernet0/0
tunnel mode gre multipointip nhrp map multicast dynamic
ip nhrp network-id 234
ip nhrp authentication CCIE.LOLtunnel protection ipsec profile CCIEIOU3:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE.LOL address 0.0.0.0
crypto ipsec transform-set CCIE esp-3des
mode transport
crypto ipsec profile CCIE
set transform-set CCIEinterface Tunnel0
ip address 10.234.3.3 255.255.0.0
tunnel source Ethernet0/1
tunnel mode gre multipointip nhrp network-id 234
ip nhrp authentication CCIE.LOL
ip nhrp map 10.234.2.2 12.1.1.2
ip nhrp map multicast 12.1.1.2
ip nhrp nhs 10.234.2.2tunnel protection ipsec profile CCIEIOU4:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE.LOL address 0.0.0.0
crypto ipsec transform-set CCIE esp-3des
mode transport
crypto ipsec profile CCIE
set transform-set CCIEinterface Tunnel0
ip address 10.234.4.4 255.255.0.0
tunnel source Ethernet0/2
tunnel mode gre multipointip nhrp network-id 234
ip nhrp authentication CCIE.LOL
ip nhrp map 10.234.2.2 12.1.1.2
ip nhrp map multicast 12.1.1.2
ip nhrp nhs 10.234.2.2tunnel protection ipsec profile CCIE
Tunnel现在可以正常工作了:IOU4#p 10.234.4.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.234.4.4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/12 ms
IOU4#p 10.234.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.234.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
IOU4#p 10.234.3.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.234.3.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/12 ms
IOU4#sh ip nhrp
10.234.2.2/32 via 10.234.2.2 Tunnel0 created 00:01:33, never expire Type: static, Flags: used NBMA address: 12.1.1.2
10.234.3.3/32 via 10.234.3.3 Tunnel0 created 00:00:07, expire 01:59:52 Type: dynamic, Flags: router nhop NBMA address: 13.1.1.3
10.234.4.4/32 via 10.234.4.4 Tunnel0 created 00:00:07, expire 00:03:00 Type: dynamic, Flags: used temporary NBMA address: 12.1.1.2
4、通过Tunnel开启EIGRP:
IOU2:
router eigrp 234
no au
net 10.234.2.2 0.0.0.0
net 192.168.2.2 0.0.0.0IOU5:
router eigrp 234
no au
net 10.5.5.5 0.0.0.0
net 192.168.2.5 0.0.0.0
IOU3:
router eigrp 234
no au
net 10.234.3.3 0.0.0.0
net 192.168.3.3 0.0.0.0IOU6:
router eigrp 234
no au
net 10.6.6.6 0.0.0.0
net 192.168.3.6 0.0.0.0
IOU4:
router eigrp 234
no au
net 10.234.4.4 0.0.0.0
net 192.168.4.4 0.0.0.0IOU7:
router eigrp 234
no au
net 10.7.7.7 0.0.0.0
net 192.168.4.7 0.0.0.0
EIGRP也通过tunnel起了邻居:IOU5#p 10.6.6.6 so l 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/10/26 ms
IOU5#p 10.7.7.7 so l 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/18 ms
trace没有看到IOU1中的Internet的路由,因为进入隧道后隐藏了:
IOU5#tra 10.7.7.7 so l 0 Type escape sequence to abort. Tracing the route to 10.7.7.7 VRF info: (vrf in name/id, vrf out name/id)
1 192.168.2.2 4 msec 7 msec 26 msec
2 10.234.4.4 9 msec 10 msec 11 msec
3 192.168.4.7 9 msec 10 msec 14 msec
5、关闭EIGRP的水平分割和下一跳是我:配置到现在,将会出现一个问题,在IOU3上看不到来自IOU4和IOU7的路由:IOU3#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop overrideGateway of last resort is not set 3.0.0.0/32 is subnetted, 1 subnetsC 3.3.3.3 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.5.5.5/32 via 10.234.2.2, 00:11:34, Tunnel0
D 10.6.6.6/32 via 192.168.3.6, 00:10:46, Ethernet0/0
C 10.234.0.0/16 is directly connected, Tunnel0
L 10.234.3.3/32 is directly connected, Tunnel0 12.0.0.0/24 is subnetted, 1 subnets
B 12.1.1.0 via 13.1.1.1, 00:42:21 13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.1.1.0/24 is directly connected, Ethernet0/1
L 13.1.1.3/32 is directly connected, Ethernet0/1 14.0.0.0/24 is subnetted, 1 subnets
B 14.1.1.0 via 13.1.1.1, 00:42:21
D 192.168.2.0/24 via 10.234.2.2, 00:11:34, Tunnel0 192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Ethernet0/0L 192.168.3.3/32 is directly connected, Ethernet0/0
在IOU4上看不到来自IOU3和IOU6的路由:IOU4#sh ip ro
Codes: ...Gateway of last resort is not set 4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.5.5.5/32 via 10.234.2.2, 00:10:26, Tunnel0
D 10.7.7.7/32 via 192.168.4.7, 00:10:24, Ethernet0/0
C 10.234.0.0/16 is directly connected, Tunnel0
L 10.234.4.4/32 is directly connected, Tunnel0 12.0.0.0/24 is subnetted, 1 subnets
B 12.1.1.0 via 14.1.1.1, 00:42:43 13.0.0.0/24 is subnetted, 1 subnets
B 13.1.1.0 via 14.1.1.1, 00:42:43 14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 14.1.1.0/24 is directly connected, Ethernet0/2
L 14.1.1.4/32 is directly connected, Ethernet0/2
D 192.168.2.0/24 via 10.234.2.2, 00:10:26, Tunnel
0 192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, Ethernet0/0
L 192.168.4.4/32 is directly connected, Ethernet0/0
这是因为EIGRP水平分割导致的,需要在IOU2上关闭水平分割:
int tun 0no ip split-horizon eigrp 234
IOU3#sh ip roCodes: ...
Gateway of last resort is not set 3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback
0 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.5.5.5/32 via 10.234.2.2, 00:13:58, Tunnel0
D 10.6.6.6/32 via 192.168.3.6, 00:00:39, Ethernet0/0
D 10.7.7.7/32 via 10.234.2.2, 00:00:39, Tunnel0
—— IOU7的路由C 10.234.0.0/16 is directly connected, Tunnel0
L 10.234.3.3/32 is directly connected, Tunnel0 12.0.0.0/24 is subnetted, 1 subnets
B 12.1.1.0 via 13.1.1.1, 00:44:45 13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.1.1.0/24 is directly connected, Ethernet0/1
L 13.1.1.3/32 is directly connected, Ethernet0/1 14.0.0.0/24 is subnetted, 1 subnets
B 14.1.1.0 via 13.1.1.1, 00:44:45
D 192.168.2.0/24 via 10.234.2.2, 00:13:58, Tunnel0
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Ethernet0/0
L 192.168.3.3/32 is directly connected, Ethernet0/0
D 192.168.4.0/24 via 10.234.2.2, 00:00:39, Tunnel0
—— IOU4的路由
IOU4#sh ip roCodes: ...Gateway of last resort is not set 4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.5.5.5/32 via 10.234.2.2, 00:13:33, Tunnel0
D 10.6.6.6/32 via 10.234.2.2, 00:01:44, Tunnel0
—— IOU6的路由
D 10.7.7.7/32 via 192.168.4.7, 00:01:44, Ethernet0/0
C 10.234.0.0/16 is directly connected, Tunnel0
L 10.234.4.4/32 is directly connected, Tunnel0 12.0.0.0/24 is subnetted, 1 subnets
B 12.1.1.0 via 14.1.1.1, 00:45:50 13.0.0.0/24 is subnetted, 1 subnets
B 13.1.1.0 via 14.1.1.1, 00:45:50 14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 14.1.1.0/24 is directly connected, Ethernet0/2L 14.1.1.4/32 is directly connected, Ethernet0/2
D 192.168.2.0/24 via 10.234.2.2, 00:13:33, Tunnel0
D 192.168.3.0/24 via 10.234.2.2, 00:01:44, Tunnel0
—— IOU3的路由
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, Ethernet0/0
L 192.168.4.4/32 is directly connected, Ethernet0/0
现在你会发现IOU3去往IOU4的数据包会经过IOU2中转:IOU3#tra 10.7.7.7 Type escape sequence to abort. Tracing the route to 10.7.7.7 VRF info: (vrf in name/id, vrf out name/id)
1 10.234.2.2 5 msec 7 msec 8 msec
—— 经过IOU2 2 10.234.4.4 19 msec 6 msec 5 msec 3 192.168.4.7 5 msec 7 msec 8 msec
IOU3#sh ip ro Codes: ... Gateway of last resort is not set 3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.5.5.5/32 via 10.234.2.2, 00:13:58, Tunnel0
D 10.6.6.6/32 via 192.168.3.6, 00:00:39, Ethernet0/0
D 10.7.7.7/32 via 10.234.2.2, 00:00:39, Tunnel0
—— 下一跳是IOU2...
现在我们针对这个问题来做一个优化,需要在IOU2上关闭下一跳是我:int tun 0 no ip next-hop-self eigrp 234搞定:IOU3#tra 10.7.7.7 Type escape sequence to abort. Tracing the route to 10.7.7.7 VRF info: (vrf in name/id, vrf out name/id) 1 10.234.4.4 2 msec 5 msec 8 msec 2 192.168.4.7 24 msec 7 msec 5 msec
IOU3#sh ip ro Codes: ...Gateway of last resort is not set 3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.5.5.5/32 via 10.234.2.2, 00:00:21, Tunnel0
D 10.6.6.6/32 via 192.168.3.6, 00:00:21, Ethernet0/0
D 10.7.7.7/32 via 10.234.4.4, 00:00:21, Tunnel0 —— 下一跳是IOU4了...
6、配置Multicast:
IOU2:
! 2.2.2.2将会被设置为RP,所以要通告给其他路由器
router eigrp 234
net 2.2.2.2 0.0.0.0ip multicast-routingip pim bsr-candidate l 0
ip pim rp-candidate l 0int r tun 0 , l 0 , e 0/1
ip pim sparse-mode! 小优化int tun 0
ip pim nbma-modeIOU5:
ip multicast-routingint r l 0 , e 0/1
ip pim sparse-mode
IOU3:
ip multicast-routingint r tun 0 , e 0/0
ip pim sparse-modeIOU6:
ip multicast-routingint r l 0 , e 0/0
ip pim sparse-modeint l 0
ip igmp join-group 232.1.1.1
IOU4:
ip multicast-routingint r tun 0 , e 0/0
ip pim sparse-modeIOU7:
ip multicast-routingint r l 0 , e 0/0
ip pim sparse-modeint l 0
ip igmp join-group 232.1.1.1
IOU2#sh ip mro IP Multicast Routing Table Flags:
D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, G - Received BGP C-Mroute, g - Sent BGP C-Mroute, N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, Q - Received BGP S-A Route, q - Sent BGP S-A Route, V - RD & Vector, v - Vector, p - PIM Joins on route Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode(*, 232.1.1.1), 00:00:02/00:03:29, RP 2.2.2.2, flags: SIncoming interface: Null, RPF nbr 0.0.0.0Outgoing interface list: Tunnel0, 10.234.4.4, Forward/Sparse, 00:00:00/00:03:29 Tunnel0, 10.234.3.3, Forward/Sparse, 00:00:02/00:03:27 (*, 224.0.1.40), 00:00:19/00:02:40, RP 0.0.0.0, flags: DPL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Null看到加组信息了,现在用IOU5去ping一次:IOU5#p 232.1.1.1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 232.1.1.1, timeout is 2 seconds:Reply to request 0 from 10.7.7.7, 3 msReply to request 0 from 10.6.6.6, 3 msReply to request 0 from 10.7.7.7, 3 msReply to request 0 from 10.6.6.6, 3 ms通了。
{:6_267:}{:6_267:}{:6_267:} 感謝分享好資源
页:
[1]