#網絡工程師Day8–實驗3-5 GRE隧道配置
學習目標
掌握GRE隧道封裝的配置方法
掌握GRE隧道接口的配置方法
理解GRE keepalive功能的實現原理
拓撲圖
場景
當企業總部和分支機構間需要互相發佈加密的路由信息時,僅通過IPSEC VPN方案是無法實現的,由於IPSEC VPN無法承載使用組播發送的路由協議數據包,因此還需要在現有的IPSEC網絡中配置GRE隧道解決此問題
操作步驟
開始本實驗前,必須先完成實驗3-4
步驟一 創建GRE隧道
創建隧道接口併爲該接口配置一個公網IP地址,然後指定接口封裝類型爲GRE,並配置隧道的實際源地址以及實際目的地址。
R1
[r1]interface Tunnel 0/0/1
[r1-Tunnel0/0/1]ip add 100.1.1.1 24
[r1-Tunnel0/0/1]tu
[r1-Tunnel0/0/1]tunnel-protocol GRE
Info: Relevant configurations on this interface are deleted.
[r1-Tunnel0/0/1]source 10.0.12.1
[r1-Tunnel0/0/1]destination 10.0.23.3
[r1-Tunnel0/0/1]
R3
[r3]INT TUNNEL 0/0/1
[r3-Tunnel0/0/1]ip add 100.1.1.2 24
[r3-Tunnel0/0/1]tunnel-protocol gre
Info: Relevant configurations on this interface are deleted.
[r3-Tunnel0/0/1]source 10.0.23.3
[r3-Tunnel0/0/1]destination 10.0.12.1
步驟二 配置OSPF進程2用於隧道路由
將隧道接口所在的網絡通告在OSPF進程1,從OSPF進程1中刪除網絡10.0.12.0/24和10.0.23.0/24.創建鏈OSPF進程2,並將網絡10.0.12.0/24和10.0.23.0/24通告到OSPF進程2。
R1
[r1]ospf 1
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[r1-ospf-1-area-0.0.0.0]undo network 10.0.12.0 0.0.0.255
[r1-ospf-1-area-0.0.0.0]ospf 2 router-id 10.0.1.1
[r1-ospf-2]area 0
[r1-ospf-2-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[r1-ospf-2-area-0.0.0.0]quit
R3
[r3]ospf 1
[r3-ospf-1]area 0
[r3-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[r3-ospf-1-area-0.0.0.0]ne
[r3-ospf-1-area-0.0.0.0]undo network 10.0.23.0 0.0.0.255
[r3-ospf-1-area-0.0.0.0]quit
[r3-ospf-1]quit
[r3]ospf 2 router-id 10.0.3.3
[r3-ospf-2]area 0
[r3-ospf-2-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[r3-ospf-2-area-0.0.0.0]quit
路由器會爲不同的OSPF進程創建不同的LSDB,R1和R3中分別有LSDB 1 和LSDB 2,兩個數據庫彼此獨立,不會同步路由信息,因此R2學習不到R1和R3通告在進程2中
的路由
display int t 0/0/1
[r1]dis int t0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-08-28 15:06:58 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 100.1.1.1/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.0.12.1 (Serial0/0/1), destination 10.0.23.3
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Current system time: 2019-08-28 15:12:14-08:00
300 seconds input rate 344 bits/sec, 0 packets/sec
300 seconds output rate 360 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
55 packets input, 14940 bytes
0 input error
66 packets output, 15300 bytes
5 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 10 packets, Multicast: 56 packets
Input bandwidth utilization : --
Output bandwidth utilization : --
R3
[r3]dis ospf 1 peer
OSPF Process 1 with Router ID 10.0.3.3
Neighbors
Area 0.0.0.0 interface 100.1.1.2(Tunnel0/0/1)'s neighbors
Router ID: 10.0.1.1 Address: 100.1.1.1
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 40 sec
Retrans timer interval: 5
Neighbor is up for 00:00:24
Authentication Sequence: [ 0 ]
步驟三 將GRE流量定義爲感興趣流量
重新配置ACL定義感興趣流量
R1
[r1]acl 3001
[r1-acl-adv-3001]rule 5 per gre source 10.0.12.1 0 destination 10.0.23.3 0
R3
[r3]acl 3001
[r3-acl-adv-3001]rule per gre source 10.0.23.3 0 destination 10.0.12.1 0
步驟四 驗證路由信息通過GRE封裝後可由IPSEC VPN傳輸
R1
[r1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 15
Destination/MaskProto Pre Cost Flags NextHop Interface
10.0.1.0/24 Direct 00 D 10.0.1.1LoopBack0
10.0.1.1/32 Direct 00 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF10 1562D 10.0.12.2 Serial0/0/1
10.0.3.3/32 OSPF10 1562D 100.1.1.2 Tunnel0/0/1
10.0.11.0/24 Direct 00 D 10.0.11.11 LoopBack1
10.0.11.11/32 Direct 00 D 127.0.0.1 LoopBack1
10.0.12.0/24 Direct 00 D 10.0.12.1 Serial0/0/1
10.0.12.1/32 Direct 00 D 127.0.0.1 Serial0/0/1
10.0.12.2/32 Direct 00 D 10.0.12.2 Serial0/0/1
10.0.23.0/24 OSPF10 3124D 10.0.12.2 Serial0/0/1
10.0.33.33/32 OSPF10 1562D 100.1.1.2 Tunnel0/0/1
100.1.1.0/24 Direct 00 D 100.1.1.1 Tunnel0/0/1
100.1.1.1/32 Direct 00 D 127.0.0.1 Tunnel0/0/1
127.0.0.0/8 Direct 00 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 00 D 127.0.0.1 InLoopBack0
注意 TUNNEL 0/0/1 的流量路由
可以觀察到 GRE隧道建立後,路由器可以將OSPF協議報文通過GRE封裝後進行交互,從而獲取對端路由信息。清除IPSEC統計信息後,再通過PING命令測試網絡連通性
<r1>reset ipsec statistics esp
<r1>sys
Enter system view, return user view with Ctrl+Z.
[r1]ping -a 10.0.1. 10.0.3.3
^
Error: Wrong parameter found at '^' position.
[r1]ping -a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=80 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 10.0.3.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/52/80 ms
[r1]
[r1]dis ipsec st
[r1]dis ipsec statistics esp
Inpacket count: 3435973836
Inpacket auth count : 3435973836
Inpacket decap count : 3435973836
Outpacket count : 3435973836
Outpacket auth count : 3435973836
Outpacket encap count : 3435973836
Inpacket drop count : 3435973836
Outpacket drop count : 3435973836
BadAuthLen count : 3435973836
AuthFail count: 3435973836
PktDuplicateDrop count: 3435973836
PktSeqNoTooSmallDrop count: 3435973836
PktInSAMissDrop count : 3435973836
如上IPSEC ESP統計信息可以看出(並沒有),OSPF協議交互的報文(包括hello報文)進行了GRE封裝後再被IPSEC VPN加密傳輸
步驟五 給GRE 隧道配置KEEPALIVE功能
[r1]int t0/0/1
[r1-Tunnel0/0/1]keepalive period 3
驗證隧道接口的KEEPALIVE功能是否開啓
[r1]dis int t0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2019-08-28 15:06:58 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 100.1.1.1/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.0.12.1 (Serial0/0/1), destination 10.0.23.3
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 3 retry-times 3
Checksumming of packets disabled
Current system time: 2019-08-28 15:26:33-08:00
300 seconds input rate 96 bits/sec, 0 packets/sec
300 seconds output rate 80 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
155 packets input, 24220 bytes
0 input error
173 packets output, 24344 bytes
5 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 15 packets, Multicast: 138 packets