iWAN – DMVPN 1 comment


A poszt bemutatja a DMVPN konfigot az előző posztban ismertetett topológián.
Az IPSec részt később csinálom meg, koncentráljunk most a DMVPN-re.

Előzetes underlay tesztek:

MPLS kapcsolat

R2 –> R13

R2#ping vrf MPLS 172.18.202.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.202.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#

R2 –> R14

R2#ping vrf MPLS 172.18.204.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.204.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#

Publikus internet kapcsolat

R3 –> R13

R3#ping vrf INET 172.18.203.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.203.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
R3#

R3 –> R15

R3#ping vrf INET 172.18.205.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.205.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/11 ms
R3#

Itt találjuk a Cisco oldalon a DMVPN config guide-t, gyakorlatilag kompletteen kimásolható a példa konfig. Ezért nem tanultam meg már a CCIE-ra sem, hanem használtam a doccd-t 🙂

DMVPN configuration guide –> cisco.com –> Support –> All products –> NX-OS/IOS –> Cisco IOS Software Release 15.5M&T –> Configuration Guides –> Security –> Secure Connectivity Configuration Guide Library, Cisco IOS Release 15M&T –> Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

Ez alapján a

HUB konfig

!
interface Tunnel1
 bandwidth 10000
 ip address 192.168.200.1 255.255.255.0
 ip mtu 1400
 ip nhrp authentication fkuris
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/1
 ! a source interface más VRF-ben van, ezért kell a tunnel vrf parancs
 tunnel vrf MPLS
 tunnel mode gre multipoint
 tunnel key 1
!
router eigrp CUST
address-family ipv4 unicast as 100
af-interface Tu1
! ne feledjük, az EIGRP distance vector protokollként viselkedik
! ezért ki kell kapcsolni a split horizont
no split-horizon
no next-hop-self
end

Spoke példa:

interface Tunnel1
 bandwidth 1000
 ip address 192.168.200.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication fkuris
 ip nhrp map 192.168.200.1 172.18.200.1
 ip nhrp map multicast 172.18.200.1
 ip nhrp network-id 1
 ip nhrp nhs 172.18.200.1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/1
 tunnel vrf MPLS
 tunnel mode gre multipoint
 tunnel key 1
!
router eigrp name CUST
address-family ipv4 unicast as 100
net 192.168.0.0 0.0.255.255
end

A fentiek alapján konfigurációk, amiket használtam:

MPLS

R2

router eigrp CUST
 !
 address-family ipv4 unicast autonomous-system 100
 !
 af-interface Tunnel1
 no next-hop-self
 no split-horizon
 exit-af-interface
 !
 topology base
 exit-af-topology
 network 192.168.0.0 0.0.255.255
 exit-address-family
interface Tunnel1
 bandwidth 10000
 ip address 192.168.200.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication fkuris
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf MPLS
end

R13

router eigrp CUST
 !
 address-family ipv4 unicast autonomous-system 100
 !
 topology base
 exit-af-topology
 network 192.168.4.0
 network 192.168.5.0
 network 192.168.200.0
 network 192.168.201.0
 ! EIGRP stub-nak konfigurálom a Branch office-kat
 eigrp stub
 exit-address-family
!
interface Tunnel1
 bandwidth 10000
 ip address 192.168.200.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication fkuris
 ip nhrp map 192.168.200.1 172.18.200.1
 ip nhrp map multicast 172.18.200.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.200.1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf MPLS
end

R14

router eigrp 100
 network 192.168.0.0 0.0.255.255
 eigrp router-id 14.14.14.14
 ! A leak-map-re később visszatérünk
eigrp stub connected summary leak-map EIGRP_LEAK
ip prefix-list EIGRP_LEAK seq 5 permit 192.168.7.0/24
ip prefix-list EIGRP_LEAK seq 10 permit 192.168.8.0/24
route-map EIGRP_LEAK permit 10
 match ip address prefix-list EIGRP_LEAK
route-map EIGRP_LEAK permit 20
!
interface Tunnel1
 bandwidth 10000
 ip address 192.168.200.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication fkuris
 ip nhrp map multicast 172.18.200.1
 ip nhrp map 192.168.200.1 172.18.200.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.200.1
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf MPLS
end

INET

R3

router eigrp CUST
 !
 address-family ipv4 unicast autonomous-system 100
 !
 topology base
 exit-af-topology
 network 192.168.0.0 0.0.255.255
 exit-address-family
!
interface Tunnel2
 bandwidth 10000
 ip address 192.168.201.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication fkuris2
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 2
 tunnel vrf INET
end

R13

interface Tunnel2
 bandwidth 10000
 ip address 192.168.201.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication fkuris2
 ip nhrp map 192.168.201.1 172.18.201.1
 ip nhrp map multicast 172.18.201.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.201.1
 ip tcp adjust-mss 1360
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 2
 tunnel vrf INET
end

R15

router eigrp 100
 network 192.168.0.0 0.0.255.255
 eigrp stub connected summary leak-map EIGRP_LEAK
!
ip prefix-list EIGRP_LEAK seq 5 permit 192.168.7.0/24
ip prefix-list EIGRP_LEAK seq 10 permit 192.168.8.0/24
route-map EIGRP_LEAK permit 10
 match ip address prefix-list EIGRP_LEAK
route-map EIGRP_LEAK permit 20
!
interface Tunnel2
 bandwidth 10000
 ip address 192.168.201.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication fkuris2
 ip nhrp map 192.168.201.1 172.18.201.1
 ip nhrp map multicast 172.18.201.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.201.1
 ip tcp adjust-mss 1360
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 2
 tunnel vrf INET
end

NHRP-n keresztül beregisztráltak a spoke-k a hub routereken. NBMA cím = underlay IP cím (MPLS/INET VRF).

R2#sh ip nhrp
192.168.200.2/32 via 192.168.200.2
 Tunnel1 created 00:22:05, expire 01:38:12
 Type: dynamic, Flags: unique registered used nhop
 NBMA address: 172.18.202.1
192.168.200.3/32 via 192.168.200.3
 Tunnel1 created 00:16:22, expire 01:46:02
 Type: dynamic, Flags: unique registered used nhop
 NBMA address: 172.18.204.1
R2#
R3#sh ip nhrp
192.168.201.2/32 via 192.168.201.2
 Tunnel2 created 00:06:31, expire 01:53:41
 Type: dynamic, Flags: unique registered used nhop
 NBMA address: 172.18.203.1
192.168.201.3/32 via 192.168.201.3
 Tunnel2 created 00:04:55, expire 01:55:04
 Type: dynamic, Flags: unique registered used nhop
 NBMA address: 172.18.205.1
R3#

Spoke-k a hub subnetet equal cost-tal tudják a HQ-ból, és látják egymás subneteit is a két Tunnel interface-n keresztül:

R13#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override
Gateway of last resort is not set
D 192.168.0.0/22 [90/26629120] via 192.168.201.1, 00:03:08, Tunnel2
 [90/26629120] via 192.168.200.1, 00:03:08, Tunnel1
D 192.168.4.0/24 [90/26624000] via 192.168.201.1, 00:03:08, Tunnel2
 [90/26624000] via 192.168.200.1, 00:03:08, Tunnel1
D 192.168.7.0/24 [90/54784000] via 192.168.200.3, 00:00:08, Tunnel1
D 192.168.8.0/24 [90/54784000] via 192.168.200.3, 00:00:08, Tunnel1
D 192.168.10.0/24 [90/52224000] via 192.168.200.3, 00:00:08, Tunnel1
R13#

A trükk, mellyel ezt lehetővé tettem, a leak-map EIGRP feature. Ne feledjük, hogy az EIGRP stub routerek alapból csak a connected és summary route-kat küldik tovább, ez esetben pedig a SW switchtől érkezik Branch2-ben a 192.168.7.0/24 és 192.168.8.0/24. ezért azokat alapból nem hirdetjük tovább a HQ felé (mivel EIGRP-től tanulták a Branch2 WAN routerek). Ez gyakori probléma, ezért találták ki a leak-map-eket.

router eigrp 100
 eigrp stub connected summary leak-map EIGRP_LEAK
ip prefix-list EIGRP_LEAK seq 5 permit 192.168.7.0/24
ip prefix-list EIGRP_LEAK seq 10 permit 192.168.8.0/24
route-map EIGRP_LEAK permit 10
 match ip address prefix-list EIGRP_LEAK
route-map EIGRP_LEAK permit 20

HQ-s WAN disztribúció switchünk is tudja a spoke subneteket equal cost-tal:

SW16#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 + - replicated route, % - next hop override
Gateway of last resort is not set
D 192.168.0.0/22 is a summary, 4d23h, Null0
D 192.168.1.0/24 [90/3072] via 192.168.3.1, 4d23h, Vlan40
D 192.168.2.0/24 [90/3072] via 192.168.3.1, 4d23h, Vlan40
D 192.168.5.0/24 [90/1561856] via 192.168.4.4, 00:08:01, Vlan100
 [90/1561856] via 192.168.4.3, 00:08:01, Vlan100
D 192.168.7.0/24 [90/1689856] via 192.168.4.4, 00:00:35, Vlan100
 [90/1689856] via 192.168.4.3, 00:00:35, Vlan100
D 192.168.8.0/24 [90/1689856] via 192.168.4.4, 00:00:35, Vlan100
 [90/1689856] via 192.168.4.3, 00:00:35, Vlan100
D 192.168.10.0/24 [90/1561856] via 192.168.4.4, 00:00:35, Vlan100
 [90/1561856] via 192.168.4.3, 00:00:35, Vlan100
D 192.168.200.0/24 [90/1536256] via 192.168.4.4, 00:31:20, Vlan100
D 192.168.201.0/24 [90/1536256] via 192.168.4.3, 00:15:38, Vlan100
SW16#

Állítsuk be még a DMVPN Phase3-at. Egy-egy parancs a hubokon és spoke-kon (hub: nhrp redirect, spoke: nhrp shortcut):
Előtte ezt látjuk. Branch 1 –> Branch 2 trace már most is spoke-to-spoke kapcsolaton át megy. Figyeljük meg a * részt: a route next-hop-ja 192.168.200.3, de akitől tudjuk a route-t, az R2 (192.168.200.1). DMVPN spoke-to-spoke dinamikus tunnelek esetében nem épül ki EIGRP neighborship, továbbra is csak a hub és spoke-k között!

R13#trace 192.168.10.10
Type escape sequence to abort.
Tracing the route to 192.168.10.10
VRF info: (vrf in name/id, vrf out name/id)
 1 192.168.200.3 2 msec 1 msec 1 msec
 2 192.168.10.10 2 msec * 2 msec
R13#sh ip route 192.168.10.10
Routing entry for 192.168.10.0/24
 Known via "eigrp 100", distance 90, metric 52224000, type internal
 Redistributing via eigrp 100
 Last update from 192.168.200.3 on Tunnel1, 00:08:20 ago
 Routing Descriptor Blocks:
 * 192.168.200.3, from 192.168.200.1, 00:08:20 ago, via Tunnel1
 Route metric is 52224000, traffic share count is 1
 Total delay is 101000 microseconds, minimum bandwidth is 10000 Kbit
 Reliability 255/255, minimum MTU 1400 bytes
 Loading 1/255, Hops 2
R13#
R2(config)#int tu1
R2(config-if)#ip nhrp redirect
R2(config-if)#end
R3(config)#int tu2
R3(config-if)#ip nhrp redirect
R3(config-if)#end
R13(config)#int tu1
R13(config-if)#ip nhrp shortcut
R13(config-if)#int tu2
R13(config-if)#ip nhrp shortcut
R13(config-if)#end
R13#
R14(config)#int tu1
R14(config-if)#ip nhrp shortcut
R14(config-if)#end
R15(config)#int tu2
R15(config-if)#ip nhrp shortcut
R15(config-if)#end

Ezután először még a hubon megyünk ki, mert az NHRP override nem történt meg:

R13#trace 192.168.10.10
Type escape sequence to abort.
Tracing the route to 192.168.10.10
VRF info: (vrf in name/id, vrf out name/id)
 1 192.168.200.1 2 msec 1 msec 3 msec
 2 192.168.200.3 7 msec
 192.168.10.10 8 msec *

Utána már közvetlenül a spoke-hoz fordulunk, mert NHRP redirect-et kaptunk a hubtól:

R13#trace 192.168.10.10
Type escape sequence to abort.
Tracing the route to 192.168.10.10
VRF info: (vrf in name/id, vrf out name/id)
 1 192.168.200.3 2 msec 1 msec 1 msec
 2 192.168.10.10 1 msec * 2 msec
R13#

Ezt a RIB-ben egy “%” jelzi, és egy /32-es route is bekerül a RIB-be az NHRP-től (H):

R13#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override
Gateway of last resort is not set
13.0.0.0/32 is subnetted, 1 subnets
C 13.13.13.13 is directly connected, Loopback0
D 192.168.0.0/22 [90/26629120] via 192.168.201.1, 00:01:07, Tunnel2
 [90/26629120] via 192.168.200.1, 00:01:07, Tunnel1
D 192.168.4.0/24 [90/26624000] via 192.168.201.1, 00:01:07, Tunnel2
 [90/26624000] via 192.168.200.1, 00:01:07, Tunnel1
 192.168.5.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.5.0/24 is directly connected, Ethernet0/2.20
L 192.168.5.1/32 is directly connected, Ethernet0/2.20
 192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.6.0/24 is directly connected, Ethernet0/2.10
L 192.168.6.1/32 is directly connected, Ethernet0/2.10
D 192.168.7.0/24 [90/54784000] via 192.168.200.3, 00:00:56, Tunnel1
D 192.168.8.0/24 [90/54784000] via 192.168.200.3, 00:00:56, Tunnel1
D % 192.168.10.0/24 [90/52224000] via 192.168.200.3, 00:00:56, Tunnel1
 192.168.200.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.200.0/24 is directly connected, Tunnel1
L 192.168.200.2/32 is directly connected, Tunnel1
H 192.168.200.3/32 is directly connected, 00:00:50, Tunnel1
 192.168.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.201.0/24 is directly connected, Tunnel2
L 192.168.201.2/32 is directly connected, Tunnel2
R13#

Az NHRP meg is mondja, hogy ez “nho” (next-hop-override). Azaz a hub helyett a spoke a next-hop. így a forgalom nem megy át a hubon, hanem közvetlenül a spoke-ra küldjük. Kiépül egy dinamikus NHRP neighborship. A hub leküldi a spoke-nak az elérni kívánt spoke NBMA címét, így ők már fel tudják építeni a dinamikus tunnelt:

R13#sh ip nhrp 192.168.10.0
192.168.10.0/24 via 192.168.200.3
 Tunnel1 created 00:02:06, expire 01:57:53
 Type: dynamic, Flags: router rib nho
 NBMA address: 172.18.204.1
R13#

Innen folytatjuk.


Hozzászólás

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Egy kis gondolat “iWAN – DMVPN