Dynamic multipoint ***

一、配置hub-to-spoke tunnel 通信模式

先按照拓撲圖配置好IP，默認路由，DHCP。

Hub:

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#en 3

R1(config-isakmp)#au p

R1(config-isakmp)#ha s

R1(config-isakmp)#gr 2

R1(config-isakmp)#ex

R1(config)#cry isakmp key 0 cisco123 add 0.0.0.0 0.0.0.0

R1(config)#cry ipsec trans myset esp-3des esp-sha-hmac

R1(cfg-crypto-trans)#ex

R1(config)#cry ipsec profile cisco

R1(ipsec-profile)#set trans myset

R1(ipsec-profile)#ex

R1(config)#interface tunnel 1

R1(config-if)#bandwidth 1000

R1(config-if)#ip add 123.123.123.1 255.255.255.0

R1(config-if)#ip mtu 1400

R1(config-if)#no ip redirects

R1(config-if)#ip nhrp authentication ccie

R1(config-if)#ip nhrp map multicast dynamic

R1(config-if)#ip nhrp network-id 10

R1(config-if)#no ip split-horizon eigrp 1

R1(config-if)#tunnel source f0/1

R1(config-if)#tunnel mode gre multipoint

R1(config-if)#tunnel key

*Nov 1 20:22:59.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

R1(config-if)#tunnel key 10000

R1(config-if)#tunnel protection ipsec profile cisco

R1(config-if)#

*Nov 1 20:23:40.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1(config-if)#

Spoke:

R3(config)#cry isakmp policy 1

R3(config-isakmp)#en 3

R3(config-isakmp)#au p

R3(config-isakmp)#gr 2

R3(config-isakmp)#ha s

R3(config-isakmp)#ex

R3(config)#cry isakmp key 0 cisco123 add 16.16.16.1

R3(config)#cry ipsec trans myset esp-3 esp-sha-h

R3(cfg-crypto-trans)#ex

R3(config)#crypto ipsec profile cisco

R3(ipsec-profile)#set trans myset

R3(ipsec-profile)#ex

R3(config)#int tunnel 3

R3(config-if)#bandwidth 1000

R3(config-if)#ip add 123.123.123.3 255.255.255.0

R3(config-if)#no ip re

R3(config-if)#no ip redirects

R3(config-if)#ip mtu 1400

R3(config-if)#ip nhrp authentication ccie

R3(config-if)#ip nhrp map multicast dynamic

R3(config-if)#ip nhrp map 123.123.123.1 16.16.16.1

R3(config-if)#ip nhrp map multicast 16.16.16.1

R3(config-if)#ip nhrp net

R3(config-if)#ip nhrp network-id 10

R3(config-if)#ip nhrp nhs

R3(config-if)#ip nhrp nhs 123.123.123.1

R3(config-if)#tunnel source f0/1

R3(config-if)#tunnel mode gre multipoint

R3(config-if)#tunnel key 10000

R3(config-if)#tunnel protection ipsec profile cisco

R3(config-if)#

R2配置同R3。

驗證：

R1#ping 123.123.123.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 440/531/588 ms

R1#show ip nhrp brief

Target Via NBMA Mode Intfc Claimed

123.123.123.3/32 123.123.123.3 36.36.36.1 dynamic Tu1 < >

R1#

R1#show cry isakmp peers

Peer: 36.36.36.1 Port: 500 Local: 16.16.16.1

Phase1 id: 36.36.36.1

R3#show ip nhrp bri

Target Via NBMA Mode Intfc Claimed

123.123.123.1/32 123.123.123.1 16.16.16.1 static Tu3 < >

R3#

R3#show cry isakmp peers

Peer: 16.16.16.1 Port: 500 Local: 36.36.36.1

Phase1 id: 16.16.16.1

R3#

在R1、R3上配置EIGRP：

R1(config)#router eigrp 1

R1(config-router)#net 15.0.0.0

R1(config-router)#net 123.0.0.0

R1(config-router)#no au

R1(config-router)#

*Nov 1 20:55:39.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.3 (Tunnel1) is up: new adjacency

R1(config-router)#

*Nov 1 20:55:46.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.3 (Tunnel1) is resync: peer graceful-restart

R1(config-router)#

R3(config)#router eigrp 1

R3(config-router)#net 3.0.0.0

R3(config-router)#net 123.0.0.0

R3(config-router)#

*Nov 1 20:55:38.411: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.1 (Tunnel3) is up: new adjacency

R3(config-router)#no au

R3(config-router)#

*Nov 1 20:55:45.103: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.1 (Tunnel3) is resync: summary configured

R3(config-router)#

R5(config)#router eigrp 1

R5(config-router)#net 15.0.0.0

R5(config-router)#ne

*Nov 1 20:59:04.787: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 15.15.15.1 (FastEthernet0/0) is up: new adjacency

R5(config-router)#net 5.0.0.0

R5(config-router)#no au

R5(config-router)#

*Nov 1 20:59:15.039: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 15.15.15.1 (FastEthernet0/0) is resync: summary configured

R5(config-router)#

查看EIGRP令居以及路由表：

R1#show ip eigrp nei

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 15.15.15.5 Fa0/0 12 00:00:40 300 1800 0 8

0 123.123.123.3 Tu1 12 00:04:06 834 5000 0 10

R1#

R1#show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

16.0.0.0/24 is subnetted, 1 subnets

C 16.16.16.0 is directly connected, FastEthernet0/1

3.0.0.0/24 is subnetted, 1 subnets

D 3.3.3.0 [90/15488000] via 123.123.123.3, 00:04:20, Tunnel1

5.0.0.0/24 is subnetted, 1 subnets

D 5.5.5.0 [90/156160] via 15.15.15.5, 00:00:51, FastEthernet0/0

123.0.0.0/24 is subnetted, 1 subnets

C 123.123.123.0 is directly connected, Tunnel1

15.0.0.0/24 is subnetted, 1 subnets

C 15.15.15.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, FastEthernet0/1

R1#

R3#show ip route

Gateway of last resort is 36.36.36.6 to network 0.0.0.0

3.0.0.0/24 is subnetted, 1 subnets

C 3.3.3.0 is directly connected, Loopback0

5.0.0.0/24 is subnetted, 1 subnets

D 5.5.5.0 [90/15490560] via 123.123.123.1, 00:01:39, Tunnel3

36.0.0.0/24 is subnetted, 1 subnets

C 36.36.36.0 is directly connected, FastEthernet0/1

123.0.0.0/24 is subnetted, 1 subnets

C 123.123.123.0 is directly connected, Tunnel3

15.0.0.0/24 is subnetted, 1 subnets

D 15.15.15.0 [90/15362560] via 123.123.123.1, 00:05:13, Tunnel3

S* 0.0.0.0/0 [254/0] via 36.36.36.6

R3#

R3#show ip eigrp nei

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 123.123.123.1 Tu3 13 00:06:22 960 5000 0 20

R3#

測試：

R5#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 752/792/844 ms

R5#traceroute 3.3.3.3

Type escape sequence to abort.

Tracing the route to 3.3.3.3

1 15.15.15.1 132 msec 212 msec 236 msec

2 123.123.123.3 748 msec 768 msec 760 msec

R5#

二、配置spoke-to-spoke 通信模式

R1(config)#int tunnel 1

R1(config-if)#no ip ne

R1(config-if)#no ip next-hop-self ?

eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)

R1(config-if)#no ip next-hop-self eigrp 1

R2測試;

R2#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 123.123.123.1 512 msec * 500 msec

2 15.15.15.5 788 msec 900 msec 652 msec

R2#show ip route eigrp

3.0.0.0/24 is subnetted, 1 subnets

D 3.3.3.0 [90/28288000] via 123.123.123.3, 00:17:19, Tunnel2

5.0.0.0/24 is subnetted, 1 subnets

D 5.5.5.0 [90/15490560] via 123.123.123.1, 00:17:09, Tunnel2

15.0.0.0/24 is subnetted, 1 subnets

D 15.15.15.0 [90/15362560] via 123.123.123.1, 00:17:09, Tunnel2

R2#

R2#show ip nhrp

123.123.123.1/32 via 123.123.123.1, Tunnel2 created 00:43:25, never expire

Type: static, Flags: nat used

NBMA address: 16.16.16.1

R2#

R2測不出來到R3的連接

R3測試：

R3#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 123.123.123.1 580 msec 616 msec 532 msec

2 15.15.15.5 888 msec 732 msec 824 msec

R3#show ip rout eigrp

2.0.0.0/24 is subnetted, 1 subnets

D 2.2.2.0 [90/28288000] via 123.123.123.2, 00:18:56, Tunnel3

5.0.0.0/24 is subnetted, 1 subnets

D 5.5.5.0 [90/15490560] via 123.123.123.1, 00:19:07, Tunnel3

15.0.0.0/24 is subnetted, 1 subnets

D 15.15.15.0 [90/15362560] via 123.123.123.1, 00:19:07, Tunnel3

R3#show ip nhrp

123.123.123.1/32 via 123.123.123.1, Tunnel3 created 01:36:10, never expire

Type: static, Flags: nat used

NBMA address: 16.16.16.1

123.123.123.2/32 via 123.123.123.2, Tunnel3 created 00:17:06, expire 01:55:10

Type: dynamic, Flags: router nat implicit

NBMA address: 26.26.26.1

R3#show ip nhrp brief

Target Via NBMA Mode Intfc Claimed

123.123.123.1/32 123.123.123.1 16.16.16.1 static Tu3 < >

123.123.123.2/32 123.123.123.2 26.26.26.1 dynamic Tu3 < >

R3#

R3上卻能查看到R2的連接。

這個結果很鬱悶。。。。希望高手指點。

R2#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3#traceroute 2.2.2.2

Type escape sequence to abort.

Tracing the route to 2.2.2.2

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 * * *

24 * * *

25 * * *

26 * * *

27 * * *

28 * * *

29 * * *

30 * * *

三、測試DM***中的OSPF：

在所有路由器上將EIGRP改爲OSPF

R5(config)#no router eigrp 1

*Nov 1 22:14:04.519: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 15.15.15.1 (FastEthernet0/0) is down: interface down

R5(config)#router ospf 1

R5(config-router)#net 5.5.5.5 0.0.0.0 area 0

R5(config-router)#net 15.15.15.0 0.0.0.255 area 0

R5(config-router)#ex

R1(config)#no router eigrp 1

*Nov 1 22:16:04.383: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.2 (Tunnel1) is down: interface down

*Nov 1 22:16:04.399: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.3 (Tunnel1) is down: interface down

R1(config)#router ospf 1

R1(config-router)#net 16.16.16.0 0.0.0.255 area 0

R1(config-router)#net 15.15.15.0 0.0.0.255 area 0

R1(config-router)#net 123.123.123.0 0.0.0.255 area 0

R2(config)#no router eigrp 1

R2(config)#router ospf 1

R2(config-router)#net 2.2.2.2 0.0.0.0 area 0

R2(config-router)#net 123.123.123.0 0.0.0.255 area 0

R2(config-router)#ex

R3(config)#no router eigrp 1

R3(config)#router ospf 1

R3(config-router)#net 3.3.3.3 0.0.0.0 area 0

R3(config-router)#net 123.123.123.0 0.0.0.255 area 0

結果OSPF令居up and down ：

R1(config-router)#

*Nov 1 22:18:51.923: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done

R1(config-router)#

*Nov 1 22:19:35.071: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired

R1(config-router)#

*Nov 1 22:19:48.391: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=3, sequence number=8504

*Nov 1 22:19:48.587: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3

R1(config-router)#

*Nov 1 22:19:55.363: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done

R1(config-router)#

*Nov 1 22:20:01.783: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

R1(config-router)#

*Nov 1 22:20:05.415: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done

R1(config-router)#

*Nov 1 22:20:23.315: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

R1(config-router)#

*Nov 1 22:20:26.119: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done

R1(config-router)#

*Nov 1 22:20:31.655: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

R1(config-router)#

*Nov 1 22:20:34.219: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done

R1(config-router)#

*Nov 1 22:20:48.407: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=3, sequence number=13476

*Nov 1 22:20:49.107: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3

R1(config-router)#

*Nov 1 22:21:07.419: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

R1(config-router)#

*Nov 1 22:21:10.543: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done

這是因爲OSPF默認把mGRE接口定義爲point-to-point類型。

需要在所有路由器mGRE接口上把網絡類型改爲point-to-multipoint ：

R1(config)#int tunnel 1

R1(config-if)#ip ospf network point-to-multipoint

R2(config)#int tunnel 2

R2(config-if)#ip ospf net point-to-multipoint

R3(config)#int tunnel 3

R3(config-if)#ip ospf network point-to-multipoint

結果不理想：

R3#

*Nov 1 22:33:27.695: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done

R3#

*Nov 1 22:35:59.115: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done

R3#

*Nov 1 22:38:46.499: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done

R3#ping 5.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3#

R3#traceroute 2.2.2.2

Type escape sequence to abort.

Tracing the route to 2.2.2.2

1 36.36.36.6 288 msec 300 msec 196 msec

2 36.36.36.6 !H * !H

R3#

*Nov 1 22:41:44.091: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done

R3#

R2#traceroute 3.3.3.3

Type escape sequence to abort.

Tracing the route to 3.3.3.3

1 26.26.26.6 252 msec 192 msec 328 msec

2 26.26.26.6 !H * !H

R2#

R2#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 26.26.26.6 188 msec 192 msec 192 msec

2 26.26.26.6 !H * *

R2#

R2#ping 5.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R2#

R1#

*Nov 1 22:47:53.507: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done

*Nov 1 22:49:26.363: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired

R1#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R1#

可知：OSPF下無法實現spoke to spoke tunnel的通信方式。

至於R1和R2、R3之間的OSPF通信問題。有待深究，難道是OSPF口令配置不當？？？

Dynamic multipoint ***

Dynamic LAN-to-LAN ××× 之 Router-to-Router

Router-to-ASA Dynamic LAN-to-LAN ×××

一個很好的cisco IOS 下載站點

Cisco IOS 下一跳解析協議(NHRP)漏洞

我的友情鏈接

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結