【实验】DMVPN + IPSec + Multicast

lab-dmvpn-ipsec-multicast
lab-dmvpn-ipsec-multicast

实验需求:

IOU1相当于Internet,IOU2/3/4之间配置DMVPN+IPSec,然后IOU2/3/4/5/6/7之间通过tunnel开启EIGRP实现互通,最后IOU6和IOU7加入组播组 232.1.1.1,IOU5 ping 232.1.1.1能通。

实验环境:

操作系统:Mac OS X 10.11.4(当时最新正式版),模拟器:GNS3 IOU for Mac 1.4.5(当时最新版本)
注:当然,只要有思科模拟器都可以做这个实验

实验步骤:

1、IP地址规划

IOU1:

conf t
int l 0
ip add 1.1.1.1 255.255.255.255

int e 0/0
ip add 12.1.1.1 255.255.255.0
no sh

int e 0/1
ip add 13.1.1.1 255.255.255.0
no sh

int e 0/2
ip add 14.1.1.1 255.255.255.0
no sh

 IOU2:

conf t
int l 0
ip add 2.2.2.2 255.255.255.255

int e 0/0
ip add 12.1.1.2 255.255.255.0
no sh

int e 0/1
ip add 192.168.2.2 255.255.255.0
no sh
IOU3:

conf t
int l 0
ip add 3.3.3.3 255.255.255.255

int e 0/1
ip add 13.1.1.3 255.255.255.0
no sh

int e 0/0
ip add 192.168.3.3 255.255.255.0
no sh

 IOU4:

conf t
int l 0
ip add 4.4.4.4 255.255.255.255

int e 0/2
ip add 14.1.1.4 255.255.255.0
no sh

int e 0/0
ip add 192.168.4.4 255.255.255.0
no sh
IOU5:

conf t
int l 0
ip add 10.5.5.5 255.255.255.255

int e 0/1
ip add 192.168.2.5 255.255.255.0
no sh

 IOU6:

conf t
int l 0
ip add 10.6.6.6 255.255.255.255

int e 0/0
ip add 192.168.3.6 255.255.255.0
no sh

 IOU7:

conf t
int l 0
ip add 10.7.7.7 255.255.255.255

int e 0/0
ip add 192.168.4.7 255.255.255.0
no sh

router eigrp 234
no au
net 10.7.7.7 0.0.0.0
net 192.168.4.7 0.0.0.0

2、配置Internet的部分,让IOU2/3/4通过IOU1互通:

IOU1:

router bgp 1
bgp router-id 1.1.1.1
nei 12.1.1.2 remot 2
nei 13.1.1.3 remot 3
nei 14.1.1.4 remot 4
net 12.1.1.0 mask 255.255.255.0
net 13.1.1.0 mask 255.255.255.0
net 14.1.1.0 mask 255.255.255.0

 IOU2:

router bgp 2
bgp router-id 2.2.2.2
nei 12.1.1.1 remot 1
IOU3:

router bgp 3
bgp router-id 3.3.3.3
nei 13.1.1.1 remot 1

 IOU4:

router bgp 4
bgp router-id 4.4.4.4
nei 14.1.1.1 remot 1

3、配置Tunnel和IPsec:

IOU2:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE.LOL address 0.0.0.0
crypto ipsec transform-set CCIE esp-3des
mode transport
crypto ipsec profile CCIE
set transform-set CCIE

interface Tunnel0
ip address 10.234.2.2 255.255.0.0
tunnel source Ethernet0/0
tunnel mode gre multipoint

ip nhrp map multicast dynamic
ip nhrp network-id 234
ip nhrp authentication CCIE.LOL

tunnel protection ipsec profile CCIE

 IOU3:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE.LOL address 0.0.0.0
crypto ipsec transform-set CCIE esp-3des
mode transport
crypto ipsec profile CCIE
set transform-set CCIE

interface Tunnel0
ip address 10.234.3.3 255.255.0.0
tunnel source Ethernet0/1
tunnel mode gre multipoint

ip nhrp network-id 234
ip nhrp authentication CCIE.LOL
ip nhrp map 10.234.2.2 12.1.1.2
ip nhrp map multicast 12.1.1.2
ip nhrp nhs 10.234.2.2

tunnel protection ipsec profile CCIE

 IOU4:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CCIE.LOL address 0.0.0.0
crypto ipsec transform-set CCIE esp-3des
mode transport
crypto ipsec profile CCIE
set transform-set CCIE

interface Tunnel0
ip address 10.234.4.4 255.255.0.0
tunnel source Ethernet0/2
tunnel mode gre multipoint

ip nhrp network-id 234
ip nhrp authentication CCIE.LOL
ip nhrp map 10.234.2.2 12.1.1.2
ip nhrp map multicast 12.1.1.2
ip nhrp nhs 10.234.2.2

tunnel protection ipsec profile CCIE

Tunnel现在可以正常工作了:

IOU4#p 10.234.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.234.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/12 ms

IOU4#p 10.234.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.234.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

IOU4#p 10.234.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.234.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/12 ms

IOU4#sh ip nhrp
10.234.2.2/32 via 10.234.2.2
   Tunnel0 created 00:01:33, never expire 
   Type: static, Flags: used 
   NBMA address: 12.1.1.2 
10.234.3.3/32 via 10.234.3.3
   Tunnel0 created 00:00:07, expire 01:59:52
   Type: dynamic, Flags: router nhop 
   NBMA address: 13.1.1.3 
10.234.4.4/32 via 10.234.4.4
   Tunnel0 created 00:00:07, expire 00:03:00
   Type: dynamic, Flags: used temporary 
   NBMA address: 12.1.1.2

4、通过Tunnel开启EIGRP:

IOU2:

router eigrp 234
no au
net 10.234.2.2 0.0.0.0
net 192.168.2.2 0.0.0.0

 IOU5:

router eigrp 234
no au
net 10.5.5.5 0.0.0.0
net 192.168.2.5 0.0.0.0
IOU3:

router eigrp 234
no au
net 10.234.3.3 0.0.0.0
net 192.168.3.3 0.0.0.0

 IOU6:

router eigrp 234
no au
net 10.6.6.6 0.0.0.0
net 192.168.3.6 0.0.0.0
IOU4:

router eigrp 234
no au
net 10.234.4.4 0.0.0.0
net 192.168.4.4 0.0.0.0

 IOU7:

router eigrp 234
no au
net 10.7.7.7 0.0.0.0
net 192.168.4.7 0.0.0.0

EIGRP也通过tunnel起了邻居:

IOU5#p 10.6.6.6 so l 0
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds:
 Packet sent with a source address of 10.5.5.5
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 5/10/26 ms

IOU5#p 10.7.7.7 so l 0
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
 Packet sent with a source address of 10.5.5.5 
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/18 ms

trace没有看到IOU1中的Internet的路由,因为进入隧道后隐藏了:

IOU5#tra 10.7.7.7 so l 0
 Type escape sequence to abort.
 Tracing the route to 10.7.7.7
 VRF info: (vrf in name/id, vrf out name/id)
   1 192.168.2.2 4 msec 7 msec 26 msec
   2 10.234.4.4 9 msec 10 msec 11 msec
   3 192.168.4.7 9 msec 10 msec 14 msec

5、关闭EIGRP的水平分割和下一跳是我:

配置到现在,将会出现一个问题,在IOU3上看不到来自IOU4和IOU7的路由:

IOU3#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 1 subnets
C        3.3.3.3 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.5.5.5/32 [90/27033600] via 10.234.2.2, 00:11:34, Tunnel0
D        10.6.6.6/32 [90/409600] via 192.168.3.6, 00:10:46, Ethernet0/0
C        10.234.0.0/16 is directly connected, Tunnel0
L        10.234.3.3/32 is directly connected, Tunnel0
      12.0.0.0/24 is subnetted, 1 subnets
B        12.1.1.0 [20/0] via 13.1.1.1, 00:42:21
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.1.1.0/24 is directly connected, Ethernet0/1
L        13.1.1.3/32 is directly connected, Ethernet0/1
      14.0.0.0/24 is subnetted, 1 subnets
B        14.1.1.0 [20/0] via 13.1.1.1, 00:42:21
D     192.168.2.0/24 [90/26905600] via 10.234.2.2, 00:11:34, Tunnel0
      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.3.0/24 is directly connected, Ethernet0/0
L        192.168.3.3/32 is directly connected, Ethernet0/0

在IOU4上看不到来自IOU3和IOU6的路由:

IOU4#sh ip ro
Codes: ...

Gateway of last resort is not set

      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.5.5.5/32 [90/27033600] via 10.234.2.2, 00:10:26, Tunnel0
D        10.7.7.7/32 [90/409600] via 192.168.4.7, 00:10:24, Ethernet0/0
C        10.234.0.0/16 is directly connected, Tunnel0
L        10.234.4.4/32 is directly connected, Tunnel0
      12.0.0.0/24 is subnetted, 1 subnets
B        12.1.1.0 [20/0] via 14.1.1.1, 00:42:43
      13.0.0.0/24 is subnetted, 1 subnets
B        13.1.1.0 [20/0] via 14.1.1.1, 00:42:43
      14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        14.1.1.0/24 is directly connected, Ethernet0/2
L        14.1.1.4/32 is directly connected, Ethernet0/2
D     192.168.2.0/24 [90/26905600] via 10.234.2.2, 00:10:26, Tunnel0
      192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.4.0/24 is directly connected, Ethernet0/0
L        192.168.4.4/32 is directly connected, Ethernet0/0

这是因为EIGRP水平分割导致的,需要在IOU2上关闭水平分割:

int tun 0
no ip split-horizon eigrp 234
IOU3#sh ip ro
Codes: ...

Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 1 subnets
C        3.3.3.3 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D        10.5.5.5/32 [90/27033600] via 10.234.2.2, 00:13:58, Tunnel0
D        10.6.6.6/32 [90/409600] via 192.168.3.6, 00:00:39, Ethernet0/0
D        10.7.7.7/32 [90/28313600] via 10.234.2.2, 00:00:39, Tunnel0 —— IOU7的路由
C        10.234.0.0/16 is directly connected, Tunnel0
L        10.234.3.3/32 is directly connected, Tunnel0
      12.0.0.0/24 is subnetted, 1 subnets
B        12.1.1.0 [20/0] via 13.1.1.1, 00:44:45
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.1.1.0/24 is directly connected, Ethernet0/1
L        13.1.1.3/32 is directly connected, Ethernet0/1
      14.0.0.0/24 is subnetted, 1 subnets
B        14.1.1.0 [20/0] via 13.1.1.1, 00:44:45
D     192.168.2.0/24 [90/26905600] via 10.234.2.2, 00:13:58, Tunnel0
      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.3.0/24 is directly connected, Ethernet0/0
L        192.168.3.3/32 is directly connected, Ethernet0/0
D     192.168.4.0/24 [90/28185600] via 10.234.2.2, 00:00:39, Tunnel0 —— IOU4的路由

IOU4#sh ip ro
Codes: ...

Gateway of last resort is not set

      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D        10.5.5.5/32 [90/27033600] via 10.234.2.2, 00:13:33, Tunnel0
D        10.6.6.6/32 [90/28313600] via 10.234.2.2, 00:01:44, Tunnel0 —— IOU6的路由
D        10.7.7.7/32 [90/409600] via 192.168.4.7, 00:01:44, Ethernet0/0
C        10.234.0.0/16 is directly connected, Tunnel0
L        10.234.4.4/32 is directly connected, Tunnel0
      12.0.0.0/24 is subnetted, 1 subnets
B        12.1.1.0 [20/0] via 14.1.1.1, 00:45:50
      13.0.0.0/24 is subnetted, 1 subnets
B        13.1.1.0 [20/0] via 14.1.1.1, 00:45:50
      14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        14.1.1.0/24 is directly connected, Ethernet0/2
L        14.1.1.4/32 is directly connected, Ethernet0/2
D     192.168.2.0/24 [90/26905600] via 10.234.2.2, 00:13:33, Tunnel0
D     192.168.3.0/24 [90/28185600] via 10.234.2.2, 00:01:44, Tunnel0 —— IOU3的路由
      192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.4.0/24 is directly connected, Ethernet0/0
L        192.168.4.4/32 is directly connected, Ethernet0/0

现在你会发现IOU3去往IOU4的数据包会经过IOU2中转:

IOU3#tra 10.7.7.7
 Type escape sequence to abort.
 Tracing the route to 10.7.7.7
 VRF info: (vrf in name/id, vrf out name/id)
   1 10.234.2.2 5 msec 7 msec 8 msec —— 经过IOU2
   2 10.234.4.4 19 msec 6 msec 5 msec
   3 192.168.4.7 5 msec 7 msec 8 msec

 IOU3#sh ip ro
 Codes: ...

 Gateway of last resort is not set

     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D       10.5.5.5/32 [90/27033600] via 10.234.2.2, 00:13:58, Tunnel0
D       10.6.6.6/32 [90/409600] via 192.168.3.6, 00:00:39, Ethernet0/0
D       10.7.7.7/32 [90/28313600] via 10.234.2.2, 00:00:39, Tunnel0 —— 下一跳是IOU2
...

现在我们针对这个问题来做一个优化,需要在IOU2上关闭下一跳是我:

int tun 0
 no ip next-hop-self eigrp 234

搞定:

IOU3#tra 10.7.7.7
 Type escape sequence to abort.
 Tracing the route to 10.7.7.7
 VRF info: (vrf in name/id, vrf out name/id)
   1 10.234.4.4 2 msec 5 msec 8 msec
   2 192.168.4.7 24 msec 7 msec 5 msec

IOU3#sh ip ro    
Codes: ...

Gateway of last resort is not set

   3.0.0.0/32 is subnetted, 1 subnets
C     3.3.3.3 is directly connected, Loopback0
   10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D     10.5.5.5/32 [90/27033600] via 10.234.2.2, 00:00:21, Tunnel0
D     10.6.6.6/32 [90/409600] via 192.168.3.6, 00:00:21, Ethernet0/0
D     10.7.7.7/32 [90/28313600] via 10.234.4.4, 00:00:21, Tunnel0 —— 下一跳是IOU4了
...

6、配置Multicast:

IOU2:

! 2.2.2.2将会被设置为RP,所以要通告给其他路由器
router eigrp 234
net 2.2.2.2 0.0.0.0

ip multicast-routing

ip pim bsr-candidate l 0
ip pim rp-candidate l 0

int r tun 0 , l 0 , e 0/1
ip pim sparse-mode

! 小优化

int tun 0
ip pim nbma-mode

 IOU5:

ip multicast-routing

int r l 0 , e 0/1
ip pim sparse-mode
IOU3:

ip multicast-routing

int r tun 0 , e 0/0
ip pim sparse-mode

 IOU6:

ip multicast-routing

int r l 0 , e 0/0
ip pim sparse-mode

int l 0
ip igmp join-group 232.1.1.1
IOU4:

ip multicast-routing

int r tun 0 , e 0/0
ip pim sparse-mode

 IOU7:

ip multicast-routing

int r l 0 , e 0/0
ip pim sparse-mode

int l 0
ip igmp join-group 232.1.1.1

 
 IOU2#sh ip mro
 IP Multicast Routing Table
 Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
        L - Local, P - Pruned, R - RP-bit set, F - Register flag,
        T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet,
        X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
        U - URD, I - Received Source Specific Host Report, 
        Z - Multicast Tunnel, z - MDT-data group sender, 
        Y - Joined MDT-data group, y - Sending to MDT-data group, 
        G - Received BGP C-Mroute, g - Sent BGP C-Mroute, 
        N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, 
        Q - Received BGP S-A Route, q - Sent BGP S-A Route, 
        V - RD & Vector, v - Vector, p - PIM Joins on route
 Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 232.1.1.1), 00:00:02/00:03:29, RP 2.2.2.2, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Tunnel0, 10.234.4.4, Forward/Sparse, 00:00:00/00:03:29
    Tunnel0, 10.234.3.3, Forward/Sparse, 00:00:02/00:03:27

 (*, 224.0.1.40), 00:00:19/00:02:40, RP 0.0.0.0, flags: DPL
   Incoming interface: Null, RPF nbr 0.0.0.0
   Outgoing interface list: Null

看到加组信息了,现在用IOU5去ping一次:

IOU5#p 232.1.1.1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 232.1.1.1, timeout is 2 seconds:

Reply to request 0 from 10.7.7.7, 3 ms
Reply to request 0 from 10.6.6.6, 3 ms
Reply to request 0 from 10.7.7.7, 3 ms
Reply to request 0 from 10.6.6.6, 3 ms

通了。

打赏分享

这篇文章对你有帮助吗?

相关文章

发表评论?

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据