實驗驗證:
查看HUB端的nhrp
r1#sh ip nhrp
123.123.123.2/32 via 123.123.123.2, Tunnel0 created 00:35:47, expire 01:24:12
Type: dynamic, Flags: unique registered //此處R1到R2是動態的
NBMA address: 26.26.26.2
123.123.123.3/32 via 123.123.123.3, Tunnel0 created 00:35:27, expire 01:24:32
Type: dynamic, Flags: unique nat registered //此處R1到R3是動態的
NBMA address: 36.36.36.11
查看tunnel地址和真實IP地址的映射
r1#sh ip nhrp dynamic
123.123.123.2/32 via 123.123.123.2, Tunnel1 created 00:07:34, expire 01:52:25
Type: dynamic, Flags: unique registered
NBMA address: 26.26.26.10
123.123.123.3/32 via 123.123.123.3, Tunnel1 created 00:02:53, expire 01:57:06
Type: dynamic, Flags: unique nat registered
NBMA address: 36.36.36.10
r2#sh ip nhrp
123.123.123.1/32 via 123.123.123.1, Tunnel0 created 00:39:53, never expire
Type: static, Flags: used //此處R2到R1是靜態的,因爲R2外網接口地址是靜態的
NBMA address: 16.16.16.1
123.123.123.3/32 via 123.123.123.3, Tunnel0 created 00:32:54, expire 01:27:07
Type: dynamic, Flags: router //此處R2到R3是動態的,R3外網接口地址是DHCP獲得的
NBMA address: 36.36.36.11
r2#sh ip nhrp nhs //查看nhrp的server端
Legend:
E=Expecting replies
R=Responding
Tunnel0:
123.123.123.1 RE
說明:服務端端口狀態RE表示建立並可以相互通訊,E只表示建立了,但是相互還不能通信。
r1#sh crypto isakmp sa //查看階段1的×××狀態
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1004 0 ACTIVE
16.16.16.1 36.36.36.11 QM_IDLE 1005 0 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 16.16.16.1
//以下這是R1與分公司R3建立的ipsec信息
protected vrf: (none)
local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (36.36.36.11/255.255.255.255/47/0)
current_peer 36.36.36.11 port 500
PERMIT, flags={origin_is_acl,}
//如果eigrp或者ospf宣告了外網路由的話,這裏的包數目大的驚人,本實驗中我也是一直糾結在這個地方了,數據包會數以千計每秒的發!!
#pkts encaps: 655, #pkts encrypt: 655, #pkts digest: 655 //顯示數據包封裝、加密包數
#pkts decaps: 637, #pkts decrypt: 637, #pkts verify: 637 //顯示數據解封裝數
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 36.36.36.11
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x22777EBC(578256572)
inbound esp sas:
spi: 0xFD9D2BBA(4254935994)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 11, flow_id: 11, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482964/800)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x22777EBC(578256572)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 12, flow_id: 12, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482961/799)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
//以下是總公司與分公司R2之間建立的ipsec
protected vrf: (none)
local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 660, #pkts encrypt: 660, #pkts digest: 660
#pkts decaps: 646, #pkts decrypt: 646, #pkts verify: 646
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x6534D52F(1697961263)
inbound esp sas:
spi: 0xAF5F100C(2942242828)
transform: esp-3des esp-sha-hmac , //轉換集的信息
in use settings ={Transport, } //傳輸模式
conn id: 7, flow_id: 7, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4418390/788)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6534D52F(1697961263)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 8, flow_id: 8, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4418386/788)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE //狀態爲active
outbound ah sas:
outbound pcp sas:
實驗注意事項和總結:
如果實驗中仍出現eigrp鄰居狀態不穩定的情況下,可以嘗試shutdown所有tunnel,然後先no shut HUB端,再no shut SPOKE端。
查看路由表也可以發現相互之間都學到了內網路由,如果HUB沒有關閉水平分割的話,R2和R3之間就學習不到相互的路由,自然就無法通信。
如果HUB沒有配置ip next-hop-self eigrp 1,路由表中的下一跳就不會改變,R2學到R3的路由下一跳是指向123.123.123.1(即總公司R1的tunnel口),不能實現SPOKE TO SPOKE通信,R2和R3必須通過R1才能通信。
如果運行的是ospf路由協議,由於沒有如上所說的屬性,自然無法實現SPOKE TO SPOKE之間的通信。
刪掉之前配置的eigrp,配置ospf,宣告tunnel地址和內網地址,如果運行ospf交換內網信息的話,在通道下配置上ip ospf network point-tomultipoint是必須的。否則鄰居關係很不穩定
查看分公司路由表
以R2爲例:
r2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 123.123.123.1, 00:00:24, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/22223] via 123.123.123.1, 00:00:24, Tunnel0
123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 123.123.123.3/32 [110/22222] via 123.123.123.1, 00:00:24, Tunnel0
O 123.123.123.1/32 [110/11111] via 123.123.123.1, 00:00:24, Tunnel0
到達分公司R3的下一跳指向R1,所以R2只能通過R1才能和R3通信,加大了HUB的負載!
r2#traceroute 3.3.3.3 source 2.2.2.2
流量先經過R1的轉發纔到了R3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
1 123.123.123.1 12 msec 24 msec 12 msec
2 123.123.123.3 20 msec * 36 msec