IPSec DMVPN高可靠性
这一部分主要是实验部分,如下的配置信息仅为关键配置部分。由于IPSec VPN属于公共配置,没有特别的地方,所以没有列出。具体参见附录。
单云双中心配置
单云双中心是在单个DMVPN环境内,提供两个NHS进行冗余和备份。
拓扑
+-------+ +-------+
|Hub--R8| |Hub--R3|
+-------+ +-------+
S1/0\ /S1/0
\ /
\ /
\ /
\ /
S1/0\ /S1/3
+-------+
|Switch |
+-------+
S1/1/ \S1/2
/ \
/ \
/ \
/ \
S1/0/ \S1/0
+--------+ +--------+
|Spoke-R1| |Spoke-R2|
+--------+ +--------+
IP地址规划
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.27.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.37.3 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.78.8 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.78.7 YES manual up up
Serial1/1 192.168.17.7 YES manual up up
Serial1/2 192.168.27.7 YES manual up up
Serial1/3 192.168.37.7 YES manual up up
配置
!Hub-R8
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !动态的方式产生NHRP,对于下面的Spoke来说,是动态的方式进行学习NHRP。
ip nhrp map 172.168.1.3 192.168.37.3 !对于Hub-2,是静态的方式进行注册。
ip nhrp map multicast 192.168.37.3 !对于Hub-2,是静态的方式进行注册。
ip nhrp network-id 10
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Hub-R3
interface Tunnel1
ip address 172.168.1.3 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !动态的方式产生NHRP,对于下面的Spoke来说,是动态的方式进行学习NHRP。
ip nhrp map 172.168.1.8 192.168.78.8 !对于Hub-1,是静态的方式进行注册。
ip nhrp map multicast 192.168.78.8 !对于Hub-1,是静态的方式进行注册。
ip nhrp network-id 10
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R1
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 192.168.78.8 !向Hub-R8进行注册
ip nhrp map 172.168.1.3 192.168.37.3 !向Hub-R3进行注册
ip nhrp map multicast 192.168.78.8
ip nhrp map multicast 192.168.37.3
ip nhrp network-id 10
ip nhrp nhs 172.168.1.3
ip nhrp nhs 172.168.1.8
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R2
interface Tunnel1
ip address 172.168.1.2 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 192.168.78.8 !向Hub-R8进行注册
ip nhrp map 172.168.1.3 192.168.37.3 !向Hub-R3进行注册
ip nhrp map multicast 192.168.78.8
ip nhrp map multicast 192.168.37.3
ip nhrp network-id 10
ip nhrp nhs 172.168.1.3
ip nhrp nhs 172.168.1.8
tunnel source Serial1/0
tunnel mode gre multipoint
end
双云双中心
双云双中心是在两个不同的DMVPN域内,提供冗余备份,不仅仅是NHS冗余备份,更是ISP不同链路上的备份。
拓扑
+-------+ +-------+
| Hub-R1| | Hub-R2|
+-------+ +-------+
|S1/0 |S1/1
| |
| |
| |
|S1/1 |S1/2
+-------+ +-------+
|ISP--R7| |ISP--R8|
+/------+S1/4 +------/+
|S1/3 \ /S1/3 |S1/4
| \ / |
| \ / |
| \ / |
| \ / |
| \ |
| / \ |
| / \ |
| / \ |
|S1/0 / \S1/0 |S1/1
+\-------+ S1/1 +------\-+
|Spoke-R3| |Spoke-R4|
+--------+ +--------+
IP地址规划
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.28.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.37.3 YES manual up up
Serial1/1 192.168.38.3 YES manual up up
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.47.4 YES manual up up
Serial1/1 192.168.48.4 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.17.7 YES manual up up
Serial1/3 192.168.37.7 YES manual up up
Serial1/4 192.168.47.7 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/2 192.168.28.8 YES manual up up
Serial1/3 192.168.38.8 YES manual up up
Serial1/4 192.168.48.8 YES manual up up
配置
!Hub-R1
interface Tunnel1
ip address 172.168.1.1 255.255.255.0 !NHRP ISP-R7 ip地址网段
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 10 !与R2 NHRP network-ID不同
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Hub-R2
interface Tunnel1
ip address 172.168.2.2 255.255.255.0 !NHRP ISP-R8 ip地址网段
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 20 !与R1 NHRP network-ID不同
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Spoke-R3
interface Tunnel1
ip address 172.168.1.3 255.255.255.0 !NHRP ISP-R7 ip地址网段
no ip redirects
ip nhrp map 172.168.1.1 192.168.17.1 !向Hub-R1进行注册
ip nhrp map multicast 192.168.17.1
ip nhrp network-id 10
ip nhrp nhs 172.168.1.1
tunnel source Serial1/0
tunnel mode gre multipoint
!
interface Tunnel2
ip address 172.168.2.3 255.255.255.0 !NHRP ISP-R8 ip地址网段
no ip redirects
ip nhrp map 172.168.2.2 192.168.28.2 !向Hub-R2进行注册
ip nhrp map multicast 192.168.28.2
ip nhrp network-id 20
ip nhrp nhs 172.168.2.2
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Spoke-R4
interface Tunnel1
ip address 172.168.1.4 255.255.255.0 !NHRP ISP-R7 ip地址网段
no ip redirects
ip nhrp map 172.168.1.1 192.168.17.1 !向Hub-R1进行注册
ip nhrp map multicast 192.168.17.1
ip nhrp network-id 10
ip nhrp nhs 172.168.1.1
tunnel source Serial1/0
tunnel mode gre multipoint
!
interface Tunnel2
ip address 172.168.2.4 255.255.255.0 !NHRP ISP-R8 ip地址网段
no ip redirects
ip nhrp map 172.168.2.2 192.168.28.2 !向Hub-R2进行注册
ip nhrp map multicast 192.168.28.2
ip nhrp network-id 20
ip nhrp nhs 172.168.2.2
tunnel source Serial1/1
tunnel mode gre multipoint
end
层次化IPSec DMVPN
同DMVPN域内实现节约NHRP条目的目的。在传统的DMVPN中,NHS拥有所有NHC的表项,随着NHC的数量增加,会增加NHS的负担。
所以设计层次化的拓扑,似的同一个域内设备互访,仅向Branch站点进行注册即可,如果涉及需要进行跨域通信的节点,那么再单独向Center站点进行注册,完成跨域的NHRP解析。从而实现NHRP条目简化。增加网络的利用效率。
拓扑
+---------+
|Center-R5|
+---------+
S1/0| |S1/1
| |
S1/5| |S1/5
+---------+ +---------+
|Branch-R7| |Branch-R8|
+---------+ +---------+
S1/1| S1/2| |S1/3 |S1/4
| | | |
| | | |
S1/0| S1/0| |S1/1 |S1/1
+--------+ +--------+ +--------+ +--------+
|Spoke-R1| |Spoke-R2| |Spoke-R3| |Spoke-R4|
+--------+ +--------+ +--------+ +--------+
IP地址规划
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.17.1 YES manual up up
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.27.2 YES manual up up
R3#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.38.3 YES manual up up
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.48.4 YES manual up up
R7#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/1 192.168.17.7 YES manual up up
Serial1/2 192.168.27.7 YES manual up up
Serial1/5 192.168.57.7 YES manual up up
R8#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/3 192.168.38.8 YES manual up up
Serial1/4 192.168.48.8 YES manual up up
Serial1/5 192.168.58.8 YES manual up up
R5#show ip int br
Interface IP-Address OK? Method Status Protocol
Serial1/0 192.168.57.5 YES manual up up
Serial1/1 192.168.58.5 YES manual up up
配置
!Spoke-R1
interface Tunnel1
ip address 172.168.1.1 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.7 7.7.7.7 !向R7注册,确保R1-to-R2双向互通
ip nhrp map multicast 7.7.7.7
ip nhrp network-id 10
ip nhrp nhs 172.168.1.7
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R2
interface Tunnel1
ip address 172.168.1.2 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.7 7.7.7.7 !向R7注册,确保R1-to-R2双向互通
ip nhrp map multicast 7.7.7.7
ip nhrp map 172.168.1.5 5.5.5.5 !向R5注册,确保R2-to-R4双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.7
ip nhrp nhs 172.168.1.5
tunnel source Serial1/0
tunnel mode gre multipoint
end
!Spoke-R3
interface Tunnel1
ip address 172.168.1.3 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 8.8.8.8 !向R8注册,确保R3-to-R4双向互通
ip nhrp map multicast 8.8.8.8
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Spoke-R4
interface Tunnel1
ip address 172.168.1.4 255.255.255.0
no ip redirects
ip nhrp map 172.168.1.8 8.8.8.8 !向R8注册,确保R3-to-R4双向互通
ip nhrp map multicast 8.8.8.8
ip nhrp map 172.168.1.5 5.5.5.5 !向R5注册,确保R2-to-R4双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.8
ip nhrp nhs 172.168.1.5
tunnel source Serial1/1
tunnel mode gre multipoint
end
!Branch-R7
interface Tunnel1
ip address 172.168.1.7 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !自己本身作为NHS,接收R1和R2的注册
ip nhrp map 172.168.1.5 5.5.5.5 !向Center-R5注册,确保R7-to-R8双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.5
tunnel source 7.7.7.7
tunnel mode gre multipoint
end
!Branch-R8
interface Tunnel1
ip address 172.168.1.8 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic !自己本身作为NHS,接收R3和R4的注册
ip nhrp map 172.168.1.5 5.5.5.5 !向Center-R5注册,确保R7-to-R8双向互通
ip nhrp map multicast 5.5.5.5
ip nhrp network-id 10
ip nhrp nhs 172.168.1.5
tunnel source 8.8.8.8
tunnel mode gre multipoint
end
!Center-R5
interface Tunnel1
ip address 172.168.1.5 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 10
tunnel source 5.5.5.5
tunnel mode gre multipoint
end
附录
crypto ikev2 keyring cisco-ikev2-keyring !配置IKEv2 keyring
peer dmvpn-node !Configure a Peer and associated keys
description symmetric pre-shared key for the hub/spoke
address 0.0.0.0 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
pre-shared-key cisco123 !配置预共享密钥“cisco123”
!
!
crypto ikev2 profile cisco-ikev2-profile !配置ikev2 profile
match identity remote address 0.0.0.0 !因为是动态的方式,所以地址为0.0.0.0
authentication remote pre-share !均采用预共享密钥方式进行认证
authentication local pre-share !均采用预共享密钥方式进行认证
keyring local cisco-ikev2-keyring !调用之前配置的“keyring”
!
crypto ipsec transform-set cisco-ts esp-3des esp-md5-hmac !配置transform
mode tunnel
!
crypto ipsec profile cisco-ipsec-ikev2 !配置IKEv2 profile
set transform-set cisco-ts !调用之前配置的transform
set ikev2-profile cisco-ikev2-profile !调用之前的profile—>keyring
!
interface Tunnel1
tunnel protection ipsec profile cisco-ipsec-ikev2 !接口下应用,保护tunnel口上的流量。
参考文献
- 《IPSecVPN实战指南》 7.4 DMVPN两种高可靠性
没有评论:
发表评论