多子网分支的第3阶段分层DMVPN实验

 May 17th 24  PNETLab 24 minutes read (About 3588 words)

以前了解过DMVPN组网,没发现还有这么个分层组网的模型,于是玩一玩做个记录

Cisco网站文档链接: https://www.cisco.com/c/zh_cn/support/docs/security/dynamic-multipoint-vpn-dmvpn/211292-Configure-Phase-3-Hierarchical-DMVPN-wit.html

华为的说法是Hub级联网络部署DSVPN

华为网站文档链接: https://support.huawei.com/enterprise/zh/doc/EDOC1100271739/baf3c434

一段蹩脚的Cisco网站机器翻译原文

分层设置(大于一级)允许更复杂的基于树的DMVPN网络拓扑。基于树的拓扑允许使用区域集线器构建DMVPN网络,区域集线器是中心集线器的分支。此体系结构允许区域中心处理其区域分支的数据和下一跳解析协议(NHRP)控制流量。但是,它仍允许在DMVPN网络内的任何分支之间构建分支到分支隧道,无论它们是否位于同一区域。此架构还允许DMVPN网络布局更紧密地匹配区域或分层数据流模式。

DMVPN的组成

  1. 多GRE隧道
  2. NHRP
  3. 动态路由协议
  4. IPSec加密

配置思路也是分这四个步骤,本人觉得DMVPN的精髓在于NHRP协议,这个协议可以使Spoke站点之间动态建立隧道,新增Spoke站点无须改动Hub端配置,看上去很智能哦

实验逻辑拓扑

image-20240516152212789

实验物理拓扑

image-20240516025005087

最终的效果(例如:R4的192.168.4.0/24网段去往R6的192.168.6.0/24网段一跳可达)

image-20240516233604433

配置过程

基础配置

包括IP地址,去往ISP的默认路由等

基础配置完成后各Hub路由器和Spoke路由器可以ping通各个公网IP地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
R1#ping 100.28.28.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.28.28.2, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 4/5/7 ms
R1#ping 200.28.28.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.28.28.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
R1#ping 100.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.38.38.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
R1#ping 200.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.38.38.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
R1#ping 100.48.48.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.48.48.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms
R1#ping 100.58.58.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.58.58.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms
R1#ping 100.68.68.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.68.68.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
R1#ping 100.78.78.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.78.78.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#

多GRE隧道

Central Hub 与 Hub1,Hub2 配置tunnel

mGRE与单GRE的配置区别在于隧道模式 multipoint 和填写远端destination地址

1
2
3
4
5
6
7
!配置R1,R2,R3的tunnel,注意修改tunnel的IP地址,R2,R3 如法炮制
!R1 Tunnel0 (R1)
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 12345

Hub1,Hub2 ,Spoke配置tunnel

在Hub1,Hub2上配置tunnel 1(与Spoke建立隧道使用)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
! Hub1 Tunnel1 (R2)
interface Tunnel1
 ip address 10.0.1.2 255.255.255.0
 no ip redirects
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
 tunnel key 12345
 
! Hub2 Tunnel1 (R3)
interface Tunnel1
 ip address 10.0.2.3 255.255.255.0
 no ip redirects
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
 tunnel key 12345
 
! Spoke1 (R4)
interface Tunnel1
 ip address 10.0.1.4 255.255.255.0
 no ip redirects
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 12345
 
 ! 其他Spoke站点如法炮制

NHRP

Central Hub的配置(R1)

1
2
3
4
5
6
7
!Central Hub (R1)
interface Tunnel0
 ip nhrp authentication cisco # 配置nhrp认证(可选)
 ip nhrp map multicast dynamic # 动态接受组播映射,(Version 15.7(3)M2 版本默认开启)
 ip nhrp network-id 123 # network-id,很重要,当前这个拓扑需要同一配置,原因是影响nhrp解析请求的发送
 ip nhrp redirect # nhrp的重定向,Hub向spoke发送重定向消息

Hub1和Hub2的配置(以Hub1为例(R2))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
! Hub 1 (R2)
interface Tunnel0
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 100.18.18.1 # 隧道地址对应的公网地址映射
 ip nhrp map multicast 100.18.18.1 # 组播对应的公网地址映射
 ip nhrp network-id 123 # network-id,很重要,当前这个拓扑需要同一配置,原因是影响nhrp解析请求的发送
 ip nhrp nhs 10.0.0.1 # 配置nhs,spoke向nhs注册
 ip nhrp shorcut # Hub1和Hub2是Central Hub的Spoke (Version 15.7(3)M2 版本默认开启)
 ip nhrp redirect # 当前这个拓扑,需要配置这一项,因为在配置动态路由协议后,R3去往R4和R5业务网段的下一跳是R2
 
interface Tunnel1
 ip nhrp authentication cisco
 ip nhrp network-id 123
 ip nhrp redirect

Spoke1,2,3,4的配置(以Spoke1和Spoke3为例)

1
2
3
4
5
6
7
8
9
10
11
12
13
!Spoke 1 (R4)
interface Tunnel1
 ip nhrp authentication cisco
 ip nhrp map 10.0.1.2 200.28.28.2
 ip nhrp map multicast 200.28.28.2
 ip nhrp network-id 123
 ip nhrp nhs 10.0.1.2
 
!Spoke 3 (R6)
interface Tunnel1
 ip nhrp authentication cisco
 ip nhrp network-id 123
 ip nhrp nhs 10.0.2.3 nbma 200.38.38.3 multicast # 一次性配置nhs,映射地址

在配置完成mGRE和NHRP之后,产生流量之后(ping测试)应该可以观察到以下现象

  1. Hub1(R2)到Hub2(R3)的tunnel地址形成动态映射和动态隧道,跟踪路径查看到一跳可达

    image-20240516170204803

  2. Spoke1(R4)到Spoke2(R5)的tunnel地址形成动态映射和动态隧道,跟踪路径查看到一跳可达

    image-20240516170409590

  3. Spoke3(R6)到Spoke4(R7)的tunnel地址形成动态映射和动态隧道,跟踪路径查看到一跳可达

    image-20240516170521889

动态路由协议

可选的协议RIP、EIGRP、OSPF、BGP、ODR

本实验业务网络选用OSPF,Central Hub,Hub1和Hub2设计在Area0;Hub1和Spoke1,Spoke2设计在Area1;Hub2和Spoke3,Spoke4设计在Area2;

根据组网情况分析,OSPF的网络类型可选的有广播、点到多点;

本实验选用广播,因为在配置tunnel 的ospf网络类型为广播后,同一个hub下的spoke站点能学习到优化下一跳后的路由,注意修改Spoke的ospf优先级为0不参与DR选举;

(配置tunnel 的ospf网络类型为点到多点后,spoke站点在产生分支站点流量后会对路由进行override, % - next hop override ,O之后有%符号)

Central Hub,Hub1和Hub2的OSPF配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
!Central Hub (R1)
router ospf 110
 router-id 1.1.1.1
 network 10.0.0.1 0.0.0.0 area 0
 network 172.16.1.1 0.0.0.0 area 0
interface Tunnel0
 ip ospf network broadcast # 修改tunnel0接口ospf网络类型为广播
interface Loopback1
 ip ospf network point-to-point # 修改环回接口网络类型为点到点
 
! Hub 1 (R2)
router ospf 110
 router-id 2.2.2.2
 network 10.0.0.2 0.0.0.0 area 0
 network 172.16.2.1 0.0.0.0 area 0
interface Tunnel0
 ip ospf network broadcast # 修改tunnel0接口ospf网络类型为广播
 ip ospf priority 0 # 修改ospf 优先级为0
interface Loopback1
 ip ospf network point-to-point # 修改环回接口网络类型为点到点
 
!Hub 2 (R3)
router ospf 110
 router-id 3.3.3.3
 network 10.0.0.3 0.0.0.0 area 0
 network 172.16.3.1 0.0.0.0 area 0
interface Tunnel0
 ip ospf network broadcast
 ip ospf priority 0
interface Loopback1
 ip ospf network point-to-point

Hub1和Spoke1,Spoke2的配置;Hub2和Spoke3,Spoke4的配置如法炮制即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
! Hub 1 (R2)
router ospf 110
 network 10.0.1.2 0.0.0.0 area 1
interface Tunnel1
 ip ospf network broadcast
 
!Spoke 1 (R4)
 router-id 4.4.4.4
 network 10.0.1.4 0.0.0.0 area 1
 network 192.168.4.1 0.0.0.0 area 1
interface Tunnel1
 ip ospf network broadcast
 ip ospf priority 0
interface Loopback1
 ip ospf network point-to-point

!Spoke 2 (R5)
router ospf 110
 router-id 5.5.5.5
 network 10.0.1.5 0.0.0.0 area 1
 network 192.168.5.1 0.0.0.0 area 1
interface Tunnel1
 ip ospf network broadcast
 ip ospf priority 0
interface Loopback1
 ip ospf network point-to-point

配置完成以上内容后,可以观察到的现象(例如:R5的192.168.5.0/24网段去往R7的192.168.7.0/24网段一跳可达)

image-20240516233848193

IPSec加密

配置ISAKMP第一阶段策略

1
2
3
4
5
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

配置ISAKMP预共享密码 

1
crypto isakmp key Cisco@123 address 0.0.0.0

配置IPSec策略(转换集)

1
2
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport

配置IPSec profile

1
2
crypto ipsec profile DMVPN
 set transform-set DMVPN

调用IPSec profile

1
2
interface Tunnel0
 tunnel protection ipsec profile DMVPN

以上命令配置完成后,使用命令sh run | s crypto 查看配置,复制粘贴到其他设备上,然后在在tunnel接口调用

1
2
3
4
5
6
7
8
9
10
11
12
R1#sh run | s crypto 
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Cisco@123 address 0.0.0.0        
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
crypto ipsec profile DMVPN
 set transform-set DMVPN 
R1#

Hub1和Hub2接口调用时后边添加share可能遇到只有一个隧道起来的情况(不懂是模拟器bug还是怎么滴),按照思科官网配置两个不同名称的ipsec profile再次进行调用,可以解决

1
2
3
4
5
6
7
8
9
10
11
12
13
14
R2#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Cisco@123 address 0.0.0.0        
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac 
 mode transport
crypto ipsec profile DMVPN-0
 set transform-set DMVPN 
crypto ipsec profile DMVPN-1
 set transform-set DMVPN 
R2#

验证加密

在R4上清空会话

1
2
3
4
5
6
7
8
R4#clea crypto session                           
R4#sh crypto engine connections active           
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   45  IPsec   3DES+MD5                  0        2        2 100.48.48.4
   46  IPsec   3DES+MD5                  2        0        0 100.48.48.4
 1016  IKE     MD5+3DES                  0        0        0 100.48.48.4

使用ping命令产生数据

1
2
3
4
5
6
7
R4#ping 192.168.7.1 source 192.168.4.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.7.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/10/27 ms

查看加解密数据包计数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
R4#sh crypto engine connections active           
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   45  IPsec   3DES+MD5                  0       13       13 100.48.48.4
   46  IPsec   3DES+MD5                 13        0        0 100.48.48.4
   47  IPsec   3DES+MD5                  0        0        0 100.48.48.4
   48  IPsec   3DES+MD5                 92        0        0 100.48.48.4
   49  IPsec   3DES+MD5                  0       93       93 100.48.48.4
   50  IPsec   3DES+MD5                  0        0        0 100.48.48.4
 1016  IKE     MD5+3DES                  0        0        0 100.48.48.4
 1017  IKE     MD5+3DES                  0        0        0 100.48.48.4
 1018  IKE     MD5+3DES                  0        0        0 100.48.48.4

R4#

结果显示,加密或解密的数量分别超过100

NHRP工作流程

详细的可以去思科网站看看,这里贴个图

img

大致单向流程(以Spoke1(192.168.4.1)到Spoke4(192.168.7.1)为例):

  1. 当Spoke1首次与Spoke4进行通信(第一个数据包流,比如ping)或动态隧道已过期,icmp request 到达Hub1,查询nhrp缓存,发现没有192.168.7.1的缓存记录,icmp request 根据路由表和nhrp迭代转发到Hub1
  2. Hub1收到icmp request ,由于Hub1不是192.168.7.1的终点,于是向Spoke1发送nhrp 重定向(指示Spoke1发nhrp request),同时icmp request 根据路由表和nhrp迭代转发到Central Hub
  3. Central Hub收到icmp request,由于Central Hub不是192.168.7.1的终点,于是向Spoke1发送nhrp 重定向(往tunnel0发送,Hub1收到后再转发到tunnel1上,指示Spoke1发nhrp request,),同时icmp request 根据路由表和nhrp迭代转发到Hub2
  4. Hub2收到icmp request,由于Hub2不是192.168.7.1的终点,于是向Spoke1发送nhrp 重定向(往tunnel0发送,再转发到tunnel1,指示Spoke1发nhrp request),同时icmp request 根据路由表和nhrp迭代转发到Spoke4
  5. Spoke4收到icmp request,由于Spoke4是192.168.7.1的终点,在收到Spoke1的nhrp request于是向Spoke1发送Resolution Reply(沿着来的的路径逐条转发回去) ,icmp request 到达目的地

返回流程也是经过一轮重定向的操作,因为当icmp request 到达目的地后,Spoke4的nhrp缓存也没有192.168.4.1的条目或者说没有形成动态的tunnel

通过debug nhrp packet观察,nhrp的重定向、 request 消息在几十毫秒内全部完成

R2和R3之间也会发送重定向和request,因为运行了ospf协议,R2和R3之间有Spoke的路由(例如R2去往R6,R7的下一跳是R3的tunnel接口地址)

假设R2和R3直接已经形成动态隧道(R2ping通R3的tunnel0接口)那么Spoke1(192.168.4.1)到Spoke4(192.168.7.1)的首次通信跟踪路径如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
R4#tra 192.168.6.1 sou 192.168.4.1
Type escape sequence to abort.
Tracing the route to 192.168.6.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.1.2 9 msec 8 msec 8 msec
  2 10.0.0.3 11 msec 11 msec 15 msec
  3 10.0.2.6 19 msec *  14 msec
R4#

在路由器上使用命令清空nhrp缓存,再次使用trace可以看到数据包经过了R1
R1#clea ip nhrp 
R2#clea ip nhrp 
R3#clea ip nhrp 
R4#clea ip nhrp 
R6#clea ip nhrp 

R4#tra 192.168.6.1 sou 192.168.4.1
Type escape sequence to abort.
Tracing the route to 192.168.6.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.1.2 11 msec 11 msec 9 msec
  2 10.0.0.1 11 msec 11 msec 17 msec
  3 10.0.0.3 19 msec 13 msec 12 msec
  4 10.0.2.6 18 msec *  14 msec
R4#

Spoke站点外网地址

Spoke站点是静态或动态的公网IP不影响

但是如果Spoke站点的出口地址是私网地址呢?不要惊奇,十几年前就发现有这种现象了,或者说Spoke站点上一级有NAT设备,这种情况下DMVPN仍然可用(前提是运营商没把UDP500给干掉)

在上面的拓扑R7和R8之间添加R9,配置NAT,R7和R9之间配置10.79.79.0网段,完成配置后发现R7学习路由和连通性测试没有问题,R3上观察nhrp缓存如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
R3#sh ip nhrp 
10.0.0.1/32 via 10.0.0.1
   Tunnel0 created 00:12:47, never expire 
   Type: static, Flags: used 
   NBMA address: 100.18.18.1 
10.0.2.6/32 via 10.0.2.6
   Tunnel1 created 00:12:35, expire 00:09:08
   Type: dynamic, Flags: registered used nhop 
   NBMA address: 100.68.68.6 
10.0.2.7/32 via 10.0.2.7
   Tunnel1 created 00:00:25, expire 00:09:35
   Type: dynamic, Flags: registered used nhop 
   NBMA address: 100.89.89.9 
    (Claimed NBMA address: 10.79.79.7) 

比正常的显示多了一行  (Claimed NBMA address: 10.79.79.7)

R9上查看NAT转换,是不是很熟悉哈,在IPSec VPN穿越NAT的时候也出现过这种情况,所以我想说DMVPN是IPSec VPN 的PLUS+PRO+MAX升级版

1
2
3
4
5
6
7
R9#sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
udp 100.89.89.9:500    10.79.79.7:500     100.58.58.5:500    100.58.58.5:500
udp 100.89.89.9:500    10.79.79.7:500     200.38.38.3:500    200.38.38.3:500
udp 100.89.89.9:4500   10.79.79.7:4500    100.58.58.5:4500   100.58.58.5:4500
udp 100.89.89.9:4500   10.79.79.7:4500    200.38.38.3:4500   200.38.38.3:4500
R9#

经典结尾扯蛋

  • 整了这么个实验,精华部分也就是nhrp的重定向和Spoke站点之间的动态隧道
  • 在本人接触过的Hub和Spoke组网的项目中,也就接触过IPSec VPN,分支站点向中心传数据的情况,至于站点和站点互通的少见
  • 其实使用DMVPN组网也能完成分支站点仅向中心传数据;在实际的项目中怀疑是参杂了一些利益因素导致这种组网少见,可能是我见识短浅;因为这种技术也不会向友商设备提供对接,跟你对接了我岂不是少赚钱了
  • 而IPSec VPN则不同,它是一个安全框架,遵守框架开发理论上都能对接,本人提到的第二点的项目中对接的设备有深信服,华三,华为,迈普,绿盟,都组网正常运行了
  • 做完这个实验去瞄了一眼华为的DSVPN,配置项差不多,命令表现形式不一样
  • 配置存阿里云盘了,这是链接:[分享的文件]
  • 欢迎“来电”来函探讨。
#Network Emulator #PNETLab #Cisco #DMVPN #NHRP #NHRP redirec #tunnel #多层不同子网
使用Selenium打开PNETLab拓扑并开启所有节点 Miniconda安装使用(简单版)
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×