00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.121.46? Tell 1.1.100.7
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.122.46? Tell 1.1.100.7
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.123.46? Tell 1.1.100.7
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.124.46? Tell 1.1.100.7
C:\Program Files\Wireshark>editcap -d input.pcap output.pcap
655 packets seen, 78 packets skipped with duplicate window of 5 packets.
IP地址冲突检测
例如,如下一组报文
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
aa:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.100 is at aa:00:00:00:00:01
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
aa:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.101 is at aa:00:00:00:00:02
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
aa:00:00:00:00:03 00:00:01:00:00:01 ARP 1.1.1.102 is at aa:00:00:00:00:03
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
什么是WLAN?WLAN是 Wireless Local Area Network 的缩写,指应用无线通信技术将计算机设备互联起来,构成可以互相通信和实现资源共享的网络体系。针对有线局域网一些缺点:线路成本、移动性差等, 对于组网便捷性和移动性的要求,促成了WLAN的技术的诞生。
什么是wifi?在IEEE正式发布标准之前,wifi联盟率先进行兼容性认证,经过了wifi认证操作完成之后通常IEEE的兼容性不会有太大问题。
独立性网络(Independent Basic Service Set)
一般是由几个STA(终端设备)组成临时性网络,所有的STA地位平等,无任何中心控制节点。
传输数据的时候直接是终端到终端之间进行传输,通常是临时性的网络。
基础结构型网络(Infrastructure Baisc Service Set)
需要AP提供接入服务,所有STA(终端)关联到AP上,访问外部以及STA之间交互的数据均由AP负责转发。
终端到终端通过AP进行转发。如果是通过无线到无线的转发方式,不需要进行数据帧的转换。
服务集概念
BSS(basic service set,基本服务集),是802.11网络提供服务的基本单元。在一个BSS的服务区域内(即射频信号覆盖的范围内),STA之间能够相互通信
· 独立性网络(Independent Basic Service Set)
· 基础结构型网络(Infrastructure Baisc Service Set)
SSID (service set identifier,服务集标识符),用来标识BSS,标识一个WLAN网络。
· BSSID:基本服务集标识符,AP的MAC地址,不可修改。
· ESSID:扩展服务集标识符,通过AP广播出去,可修改。(无线网络设备的名称)
iperf3是用于测试网络中最大可使用带宽的工具,可以支持UDP、TCP、SCTP、IPv4、IPv6协议的各种参数,对于每个测试都会生成测试结果,包括带宽数值,丢包或其他的参数。iPerf最初由NLANR / DAST开发。iPerf3主要由ESnet / Lawrence Berkeley国家实验室开发。它是在三个条款的BSD许可下发布的。本文大部分内容均来自 https://iperf.fr/。若有侵权请告知,谢谢。lvpin333@gmail.com
iPerf3 –help
本文基于 iPerf 3.1.3 for windows 来完成
C:\Users\win7>iPerf3 --help
Usage: iperf [-s|-c host] [options]
iperf [-h|--help] [-v|--version]
Server or Client:
-p, --port # 服务端侦听端口号配置,默认值为5201
-f, --format [kmgKMG] 生成格式时Bandwidth单位设置“-f K 、 -f M 、-f KB 、 -f MB ”
-i, --interval # 生成报告间隔时间,取值范围 0.01 ~ 60
-F, --file name xmit/recv the specified file
-B, --bind <host> 绑定到指定的interface
-V, --verbose 详细输出
-J, --json 以JSON格式进行输出
--logfile f 将结果输出到文件中“--logfile lvpin.txt”
-d, --debug 调试输出
-v, --version 显示版本信息并退出
-h, --help 显示帮助信息并退出
Server specific:
-s, --server 运行在server模式
-D, --daemon 运行server并作为守护进程
-I, --pidfile file 写入PID文件
-1, --one-off 处理1个客户端连接并退出“-1“
Client specific:
-c, --client <host> 运行客户端模式,并连接到 <host>
-u, --udp 使用UDP流量发送(默认是TCP)
-b, --bandwidth #[KMG][/#] 目标带宽以 bits/sec为单位 (0 表示不限制),默认UDP使用1 Mbit/sec,默认TCP无限制,突发模式使用”/" 并配置数据包数量
-t, --time # 测试时间,以秒为单位,默认值是10秒
-n, --bytes #[KMG] 需要发送的字节数(bytes)(instead of -t)
-k, --blockcount #[KMG] 需要发送数据包的数量(blocks)(instead of -t or -n)
-l, --len #[KMG] 读取和写入缓冲区的长度,默认值是TCP 128kb、UDP 8 kb
--cport <port> bind to a specific client port (TCP and UDP, default: ephemeral port)
-P, --parallel # 并行客户端的数量“-P 2”
-R, --reverse 反向接收模式(服务器发送,客户端接收)
-w, --window #[KMG] 设置windows size 大小
-M, --set-mss # 设置MMS大小
-N, --no-delay 关闭Nagle's Algorithm
-4, --version4 仅在IPv4模式下运行
-6, --version6 仅在IPv6模式下运行
-S, --tos N 设置IP head TOS值
-Z, --zerocopy use a 'zero copy' method of sending data
-O, --omit N 忽略前 "N" 秒的数据信息(用于跳过TCP慢启动)
-T, --title str 在每行输出前加上特定的字符串
--get-server-output 从服务器上获得结果
--udp-counters-64bit use 64-bit counters in UDP test packets
[KMG] indicates options that support a K/M/G suffix for kilo-, mega-, or giga-
iperf3 homepage at: http://software.es.net/iperf/
Report bugs to: https://github.com/esnet/iperf
iPerf3 示例
基础测试
Server:
C:\Users\lvpin>iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
C:\Users\lvpin>iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
C:\Users\lvpin>iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
C:\Users\lvpin>iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Client:
windows size:2048
mms :800
缓冲区大小:256
关闭Nagle’s算法
Emulating wide area network delays with Linux
NetEm (already enabled in the Linux kernel) provides Network Emulation functionality for testing protocols by emulating the properties of wide area networks.
To simulate an additional latency of 80 ms, just type sudo tc qdisc add dev eth0 root netem delay 80ms
It just adds a fixed amount of delay to all packets going out of the local Ethernet.
To stop the additional latency, just type sudo tc qdisc change dev eth0 root netem delay 0ms
Lines to add to the file /etc/rc.local before exit 0, to add 40ms of latency :
# Add +40ms latency
tc qdisc add dev eth0 root netem delay 40ms
Note: If your network interface is not eth0, replace eth0 with the name of your network interface
SSL Record Protocol 为SSL提供两种服务,保密性,加密应用层数据;消息完整性,通过使用消息验证码(MAC,message authentication code)
SSL Record Protocol 是为上层使用的基础协议。其中之一就是握手协议。用于交换加密和认证的密钥。
如下描述了SSL记录协议的完成操作。记录协议将应用层的消息镜像分段,压缩数据,应用消息验证码(MAC),加密,添加报文头部,并将数据发送到TCP段中。收到的数据执行反向过程,被解密,被验证,解压缩,重新组合然后传输到应用程序。
+----------------------------+
Application Data |||||||||||||||||||||||||||||| | 【原始应用数据】
+----------------------------+ V
|
+--------++--------++--------+ V
Fragment |||||||||||||||||||||||||||||| | 【拆分数据段】
+--------++--------++--------+ V
|
+--------+ V
Compress |--------| | 【对数据段进行无损压缩】
+--------+ V
|
+--------+-+ V
Add MAC |--------|*| | 【添加消息验证码】
+--------+-+ V
|
+----------+ V
Encrypt |XXXXXXXXXX| | 【数据进行加密】
+----------+ V
|
+-+----------+ V
Append SSL Record Header |+|XXXXXXXXXX| | 【添加SSL Record Header】
+-+----------+ V
第五步 添加头部(SSL Record Header),头部信息由如下部分组成。
Content Type (8 bits):提交更高层的协议来处理enclosed fragment.
Major Version (8 bits):标识SSL使用的主要版本
Minor Version (8 bits):标识SSL使用的次要版本,对于SSLv3,值为0。
Compressed Length (16 bits):纯文本片段的长度
GET VPN中引入新概念称之为信任组成员“Trust Group Members”。所有需要加密或解密的站点,需要先加入这个信任组中,并且在这个信任组中至少存在一个密钥服务器(Key Server),密钥服务器(Key Server)的主要任务就是认证组成员,组成员一旦认证成功这个组成员就拥有了一个与其他组成员相同的安全关联,这个安全关联可以用于进行加密和解密数据。由于具有相同的安全关联,那么在相同组内的的站点彼此之间就可以互相通信。
由于GETVPN的安全关联并不是被流量触发而产生,而是由组成员注册到服务器后进行下发的,因此可以减少因为协商安全关联而造成的网络延迟。这一点相比IPSec VPN要更加友好。
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
Loopback1 1.1.1.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.27.2 YES manual up up
Loopback1 2.2.2.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.37.3 YES manual up up
Loopback1 3.3.3.3 YES manual up up
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.48.4 YES manual up up
Loopback1 4.4.4.4 YES manual up up
R5#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.58.5 YES manual up up
Loopback1 5.5.5.5 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.78.7 YES manual up up
Serial1/1 192.168.17.7 YES manual up up
Serial1/2 192.168.27.7 YES manual up up
Serial1/3 192.168.37.7 YES manual up up
Loopback1 7.7.7.7 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.78.8 YES manual up up
Serial1/4 192.168.48.8 YES manual up up
Serial1/5 192.168.58.8 YES manual up up
Loopback1 8.8.8.8 YES manual up up
配置
!Key-Server-R4(Master)
crypto key generate rsa general label ccie43413-rsa
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
crypto isakmp policy 10 !isakmp第一阶段配置
encr 3des
authentication pre-share
group 2
crypto isakmp key ccie43413 address 192.168.17.1 !isakmp第一阶段配置,与R1建立isakmp
crypto isakmp key ccie43413 address 192.168.27.2 !isakmp第一阶段配置,与R2建立isakmp
crypto isakmp key ccie43413 address 192.168.37.3 !isakmp第一阶段配置,与R3建立isakmp
crypto isakmp key ccie43413 address 192.168.58.5 !isakmp第一阶段配置,与R5建立isakmp
!
!
crypto ipsec transform-set gdoi-trans esp-3des esp-sha-hmac !设置传输转换集
mode tunnel
!
!
crypto ipsec profile getvpn-profile !配置profile
set security-association lifetime seconds 1800 !设置安全关联的寿命时间
set transform-set gdoi-trans !调用配置传输转换集
!
crypto gdoi group getvpn-group !配置gdoi部分
identity number 43413 !在同一个GETVPN域内的ID
server local
rekey retransmit 10 number 2 !rekey重传,多少秒之后重新发送,重传次数
rekey authentication mypubkey rsa ccie43413-rsa !调用之前产生的RSA
rekey transport unicast !指定采用单播的方式更新密钥
sa ipsec 1 !配置IPSec sa 的id,不同的id在插入的时候顺序不一样
profile getvpn-profile !调用配置“crypto ipsec profile”
match address ipv4 199 !配置感兴趣的数据流
replay time window-size 5 !配置防重放攻击 见“Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide“3.5.7 TBAR
address ipv4 192.168.48.4 !配置本地KS服务器server地址
redundancy
local priority 100 !配置KS优先级,值越大越优先
peer address ipv4 192.168.58.5 !配置远端KS服务器server地址
!
------------------------------------------------------------------------------------------------------------------------------------
!Key-Server-R5(Standby)
crypto key generate rsa general label ccie43413-rsa
!
access-list 199 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ccie43413 address 192.168.17.1
crypto isakmp key ccie43413 address 192.168.27.2
crypto isakmp key ccie43413 address 192.168.37.3
crypto isakmp key ccie43413 address 192.168.48.4 !difference
!
!
crypto ipsec transform-set gdoi-trans esp-3des esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile getvpn-profile
set security-association lifetime seconds 1800
set transform-set gdoi-trans
!
crypto gdoi group getvpn-group
identity number 43413
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa ccie43413-rsa
rekey transport unicast
sa ipsec 1
profile getvpn-profile
match address ipv4 199
replay time window-size 5
address ipv4 192.168.58.5 !difference
redundancy
local priority 80 !difference
peer address ipv4 192.168.48.4 !difference
!
------------------------------------------------------------------------------------------------------------------------------------
!Group Member-R1、Group Member-R2、Group Member-R3
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key ccie43413 address 192.168.48.4
crypto isakmp key ccie43413 address 192.168.58.5
!
crypto gdoi group getvpn
identity number 43413
server address ipv4 192.168.48.4
server address ipv4 192.168.58.5
!
crypto map getvpn-map 10 gdoi
set group getvpn
interface s1/0
crypto map getvpn-map
!
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.27.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.37.3 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.78.8 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.78.7 YES manual up up
Serial1/1 192.168.17.7 YES manual up up
Serial1/2 192.168.27.7 YES manual up up
Serial1/3 192.168.37.7 YES manual up up
配置
!Hub-R8
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !动态的方式产生NHRP,对于下面的Spoke来说,是动态的方式进行学习NHRP。
ip nhrp map 172.168.1.3 192.168.37.3 !对于Hub-2,是静态的方式进行注册。
ip nhrp map multicast 192.168.37.3 !对于Hub-2,是静态的方式进行注册。
ip nhrp network-id 10
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Hub-R3
interface Tunnel1
ip address 172.168.1.3 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !动态的方式产生NHRP,对于下面的Spoke来说,是动态的方式进行学习NHRP。
ip nhrp map 172.168.1.8 192.168.78.8 !对于Hub-1,是静态的方式进行注册。
ip nhrp map multicast 192.168.78.8 !对于Hub-1,是静态的方式进行注册。
ip nhrp network-id 10
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R1
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 192.168.78.8 !向Hub-R8进行注册
ip nhrp map 172.168.1.3 192.168.37.3 !向Hub-R3进行注册
ip nhrp map multicast 192.168.78.8
ip nhrp map multicast 192.168.37.3
ip nhrp network-id 10
ip nhrp nhs 172.168.1.3
ip nhrp nhs 172.168.1.8
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R2
interface Tunnel1
ip address 172.168.1.2 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 192.168.78.8 !向Hub-R8进行注册
ip nhrp map 172.168.1.3 192.168.37.3 !向Hub-R3进行注册
ip nhrp map multicast 192.168.78.8
ip nhrp map multicast 192.168.37.3
ip nhrp network-id 10
ip nhrp nhs 172.168.1.3
ip nhrp nhs 172.168.1.8
tunnel source Serial1/0
tunnel mode gre multipoint
end
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.28.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.37.3 YES manual up up
Serial1/1 192.168.38.3 YES manual up up
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.47.4 YES manual up up
Serial1/1 192.168.48.4 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.17.7 YES manual up up
Serial1/3 192.168.37.7 YES manual up up
Serial1/4 192.168.47.7 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/2 192.168.28.8 YES manual up up
Serial1/3 192.168.38.8 YES manual up up
Serial1/4 192.168.48.8 YES manual up up
配置
!Hub-R1
interface Tunnel1
ip address 172.168.1.1 255.255.255.0 !NHRP ISP-R7 ip地址网段
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 10 !与R2 NHRP network-ID不同
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Hub-R2
interface Tunnel1
ip address 172.168.2.2 255.255.255.0 !NHRP ISP-R8 ip地址网段
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 20 !与R1 NHRP network-ID不同
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Spoke-R3
interface Tunnel1
ip address 172.168.1.3 255.255.255.0 !NHRP ISP-R7 ip地址网段
no ip redirects
ip nhrp map 172.168.1.1 192.168.17.1 !向Hub-R1进行注册
ip nhrp map multicast 192.168.17.1
ip nhrp network-id 10
ip nhrp nhs 172.168.1.1
tunnel source Serial1/0
tunnel mode gre multipoint
!
interface Tunnel2
ip address 172.168.2.3 255.255.255.0 !NHRP ISP-R8 ip地址网段
no ip redirects
ip nhrp map 172.168.2.2 192.168.28.2 !向Hub-R2进行注册
ip nhrp map multicast 192.168.28.2
ip nhrp network-id 20
ip nhrp nhs 172.168.2.2
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Spoke-R4
interface Tunnel1
ip address 172.168.1.4 255.255.255.0 !NHRP ISP-R7 ip地址网段
no ip redirects
ip nhrp map 172.168.1.1 192.168.17.1 !向Hub-R1进行注册
ip nhrp map multicast 192.168.17.1
ip nhrp network-id 10
ip nhrp nhs 172.168.1.1
tunnel source Serial1/0
tunnel mode gre multipoint
!
interface Tunnel2
ip address 172.168.2.4 255.255.255.0 !NHRP ISP-R8 ip地址网段
no ip redirects
ip nhrp map 172.168.2.2 192.168.28.2 !向Hub-R2进行注册
ip nhrp map multicast 192.168.28.2
ip nhrp network-id 20
ip nhrp nhs 172.168.2.2
tunnel source Serial1/1
tunnel mode gre multipoint
end
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.27.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.38.3 YES manual up up
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.48.4 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.17.7 YES manual up up
Serial1/2 192.168.27.7 YES manual up up
Serial1/5 192.168.57.7 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/3 192.168.38.8 YES manual up up
Serial1/4 192.168.48.8 YES manual up up
Serial1/5 192.168.58.8 YES manual up up
R5#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.57.5 YES manual up up
Serial1/1 192.168.58.5 YES manual up up
配置
!Spoke-R1
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.7 7.7.7.7 !向R7注册,确保R1-to-R2双向互通
ip nhrp map multicast 7.7.7.7
ip nhrp network-id 10
ip nhrp nhs 172.168.1.7
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R2
interface Tunnel1
ip address 172.168.1.2 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.7 7.7.7.7 !向R7注册,确保R1-to-R2双向互通
ip nhrp map multicast 7.7.7.7
ip nhrp map 172.168.1.5 5.5.5.5 !向R5注册,确保R2-to-R4双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.7
ip nhrp nhs 172.168.1.5
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R3
interface Tunnel1
ip address 172.168.1.3 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 8.8.8.8 !向R8注册,确保R3-to-R4双向互通
ip nhrp map multicast 8.8.8.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Spoke-R4
interface Tunnel1
ip address 172.168.1.4 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 8.8.8.8 !向R8注册,确保R3-to-R4双向互通
ip nhrp map multicast 8.8.8.8
ip nhrp map 172.168.1.5 5.5.5.5 !向R5注册,确保R2-to-R4双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
ip nhrp nhs 172.168.1.5
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Branch-R7
interface Tunnel1
ip address 172.168.1.7 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !自己本身作为NHS,接收R1和R2的注册
ip nhrp map 172.168.1.5 5.5.5.5 !向Center-R5注册,确保R7-to-R8双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.5
tunnel source 7.7.7.7
tunnel mode gre multipoint
end
!Branch-R8
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !自己本身作为NHS,接收R3和R4的注册
ip nhrp map 172.168.1.5 5.5.5.5 !向Center-R5注册,确保R7-to-R8双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.5
tunnel source 8.8.8.8
tunnel mode gre multipoint
end
!Center-R5
interface Tunnel1
ip address 172.168.1.5 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 10
tunnel source 5.5.5.5
tunnel mode gre multipoint
end
附录
crypto ikev2 keyring cisco-ikev2-keyring !配置IKEv2 keyring
peer dmvpn-node !Configure a Peer and associated keys
description symmetric pre-shared key for the hub/spoke
address 0.0.0.0 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
pre-shared-key cisco123 !配置预共享密钥“cisco123”
!
!
crypto ikev2 profile cisco-ikev2-profile !配置ikev2 profile
match identity remote address 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
authentication remote pre-share !均采用预共享密钥方式进行认证
authentication local pre-share !均采用预共享密钥方式进行认证
keyring local cisco-ikev2-keyring !调用之前配置的“keyring”
!
crypto ipsec transform-set cisco-ts esp-3des esp-md5-hmac !配置transform
mode tunnel
!
crypto ipsec profile cisco-ipsec-ikev2 !配置IKEv2 profile
set transform-set cisco-ts !调用之前配置的transform
set ikev2-profile cisco-ikev2-profile !调用之前的profile—>keyring
!
interface Tunnel1
tunnel protection ipsec profile cisco-ipsec-ikev2 !接口下应用,保护tunnel口上的流量。
相比于传统的GRE隧道,mGRE提供了典型的NBMA(Non-Broadcast Multiple Access,NBMA)网络,而NBMA网络就是一个很典型的Hub and Spoke 的网络模型。Spoke to Spoke 的流量经过Hub进行转发,这保证了底层上的连通性。2
下一跳解析协议(Next Hop Resolution Protocol,NHRP)
NHRP简介
通过mGRE保证了底层上的连通性,但是发现如果仅只有mGRE那么,当数据包要进行GRE封装的时候,发现并没有一个Destination地址去使用所以无法完成GRE封装,那么这个时候就需要NHRP解析 隧道地址和物理地址映射。
如果Spoke仅仅获取到了hub点的信息,那么Spoke to Spoke 的流量就必须通过Hub进行转发,这样无疑增加了Hub的负担。所以NHRP通过先注册,再请求的方式,不仅仅让hub点获取到Spoke点信息,还保证了Spoke to Spoke,NHRP映射关系的解析。
NHRP的本质其实就是为NBMA网络地址提供映射表信息(VPN IP to NBMA IP address mapping)
NHRP是一个“二层”缓存解析协议,这一点非常类似于 ARP 或 反向ARP(帧中继网络)(Spoke发送的广播、组播只能被Hub点收到)
NHRP is a layer two resolution protocol and cache like ARP or Reverse ARP (Frame Relay)
在DMVPN中使用,将Tunnel IP地址映射到NBMA IP 地址
It is used in DMVPN to map a tunnel IP address to an NBMA address
与ARP一样,NHRP也有静态和动态的区分(通常在Spoke点配置静态NHRP,在hub点配置动态NHRP)
Like ARP, NHRP can have static and dynamic entries
为什么需要NHRP?(How mGRE Uses NHRP)
如下是一个典型的mGRE配置
interface Tunnel 0
ip address 10.0.0.1 255.0.0.0
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 1
当数据包进入到路由器之后,进行路由查找,下一跳一起传递到mGRE接口。
When a packet is routed, it is passed to the mGRE interface along with a next-hop
下一跳是远程对等体的隧道地址。
The next-hop is the tunnel address of a remote peer
到此,如果仅知道对方的隧道地址,是无法获知远端Peer 的物理地址的。无法完成封装再发送的过程。所以这时候就需要NHRP将隧道上的IP地址映射到NMBA IP地址(物理接口IP地址)
mGRE查找Tunnel地址所对应的 NHRP cache中的next-hop address,并查找远程对等体的NBMA地址
mGRE looks up the NHRP cache for the next-hop address and retrieves the NBMA address of the remote peer
mGRE将数据包封装到GRE / IP有效载荷中
mGRE encapsulates the packet into a GRE/IP payload
新的数据包目的地址是NMBA的地址
The new packet destination is the NMBA address
NHRP决议阶段主要用于解决Spoke to Spoke 通信的情况。当完成Registration(注册)之后,Spoke to Spoke没有NHRP表项,所以 Spoke to Spoke 必须经过Hub,但是NHRP有Resolution 机制,可以优化流量路径,使得Spoke to Spoke不需要经由Hub转发,Resolution Request和Resolution Reply就是完成这一功能的。
!Hub
interface Serial1/0
ip address 192.168.78.8 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map multicast dynamic
ip nhrp network-id 10
tunnel source 192.168.78.8
tunnel mode gre multipoint
tunnel key 43413
SpokeA
!SpokeA
interface Serial1/0
ip address 192.168.17.1 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8
ip nhrp map multicast 192.168.78.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source 192.168.17.1
tunnel mode gre multipoint
tunnel key 43413
end
SpokeB
!SpokeB
interface Serial1/0
ip address 192.168.27.2 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.2 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8
ip nhrp map multicast 192.168.78.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source 192.168.27.2
tunnel mode gre multipoint
tunnel key 43413
end
SpokeC
!SpokeC
interface Serial1/0
ip address 192.168.37.3 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.3 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8
ip nhrp map multicast 192.168.78.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source 192.168.37.3
tunnel mode gre multipoint
tunnel key 43413
end
Switch
!Switch
interface Serial1/0
description To-Hub
ip address 192.168.78.7 255.255.255.0
ip ospf 1 area 0
!
interface Serial1/1
description To-SpokeA
ip address 192.168.17.7 255.255.255.0
ip ospf 1 area 0
!
interface Serial1/2
description To-SpokeB
ip address 192.168.27.7 255.255.255.0
ip ospf 1 area 0
!
interface Serial1/3
description To-SpokeC
ip address 192.168.37.7 255.255.255.0
ip ospf 1 area 0
end
IPsec VPN 配置
对于IPSec VPN配置部分HuB、SpokeA,B,C配置均一致,直接使用即可。
crypto ikev2 keyring cisco-ikev2-keyring
peer dmvpn-node
description symmetric pre-shared key for the hub/spoke
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
!
crypto ikev2 profile cisco-ikev2-profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local cisco-ikev2-keyring
!
crypto ipsec transform-set cisco-ts esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco-ipsec-ikev2
set transform-set cisco-ts
set ikev2-profile cisco-ikev2-profile
!
interface Tunnel1
tunnel protection ipsec profile cisco-ipsec-ikev2
!Hub
interface Serial1/0
ip address 192.168.78.8 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp authentication 43413 !配置NHRP认证字符串,同一个NBMA网络环境中的设备必须配置相同的认证字符串。
ip nhrp map multicast dynamic !使用动态的方式(注册方式),来生成NHRP映射表项。
ip nhrp network-id 10 !定义NHRP域,此参数本地唯一。当数据包从GRE接口进入的时候需要通过NHRP域来定义到不同的DMVPN中。
tunnel source 192.168.78.8 !配置GRE隧道源地址。
tunnel mode gre multipoint !配置GRE隧道模式,mGRE。
tunnel key 43413 !配置GRE key
SpokeA
!SpokeA
interface Serial1/0
ip address 192.168.17.1 255.255.255.0
ip ospf 1 area 0
!
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication 43413
ip nhrp map 172.168.1.8 192.168.78.8 !Configures static IP-to-NBMA address mapping on the station.
ip nhrp map multicast 192.168.78.8 !添加NBMA地址以接收发送报文。
ip nhrp network-id 10 !定义NHRP域,此参数本地唯一。当数据包从GRE接口进入的时候需要通过NHRP域来定义到不同的DMVPN中。
ip nhrp nhs 172.168.1.8 !配置NHS( Next Hop Server)服务器地址(发送注册报文的服务器地址)
tunnel source 192.168.17.1 !配置GRE隧道源地址。
tunnel mode gre multipoint
tunnel key 43413
end
IPsec VPN configure
crypto ikev2 keyring cisco-ikev2-keyring !配置IKEv2 keyring
peer dmvpn-node !Configure a Peer and associated keys
description symmetric pre-shared key for the hub/spoke
address 0.0.0.0 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
pre-shared-key cisco123 !配置预共享密钥“cisco123”
!
!
crypto ikev2 profile cisco-ikev2-profile !配置ikev2 profile
match identity remote address 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
authentication remote pre-share !均采用预共享密钥方式进行认证
authentication local pre-share !均采用预共享密钥方式进行认证
keyring local cisco-ikev2-keyring !调用之前配置的“keyring”
!
crypto ipsec transform-set cisco-ts esp-3des esp-md5-hmac !配置transform
mode tunnel
!
crypto ipsec profile cisco-ipsec-ikev2 !配置IKEv2 profile
set transform-set cisco-ts !调用之前配置的transform
set ikev2-profile cisco-ikev2-profile !调用之前的profile—>keyring
!
interface Tunnel1
tunnel protection ipsec profile cisco-ipsec-ikev2 !接口下应用,保护tunnel口上的流量。