实验验证:
查看HUB端的nhrp
r1#sh ip nhrp
123.123.123.2/32 via 123.123.123.2, Tunnel0 created 00:35:47, expire 01:24:12
Type: dynamic, Flags: unique registered //此处R1到R2是动态的
NBMA address: 26.26.26.2
123.123.123.3/32 via 123.123.123.3, Tunnel0 created 00:35:27, expire 01:24:32
Type: dynamic, Flags: unique nat registered //此处R1到R3是动态的
NBMA address: 36.36.36.11
查看tunnel地址和真实IP地址的映射
r1#sh ip nhrp dynamic
123.123.123.2/32 via 123.123.123.2, Tunnel1 created 00:07:34, expire 01:52:25
Type: dynamic, Flags: unique registered
NBMA address: 26.26.26.10
123.123.123.3/32 via 123.123.123.3, Tunnel1 created 00:02:53, expire 01:57:06
Type: dynamic, Flags: unique nat registered
NBMA address: 36.36.36.10
r2#sh ip nhrp
123.123.123.1/32 via 123.123.123.1, Tunnel0 created 00:39:53, never expire
Type: static, Flags: used //此处R2到R1是静态的,因为R2外网接口地址是静态的
NBMA address: 16.16.16.1
123.123.123.3/32 via 123.123.123.3, Tunnel0 created 00:32:54, expire 01:27:07
Type: dynamic, Flags: router //此处R2到R3是动态的,R3外网接口地址是DHCP获得的
NBMA address: 36.36.36.11
r2#sh ip nhrp nhs //查看nhrp的server端
Legend:
E=Expecting replies
R=Responding
Tunnel0:
123.123.123.1 RE
说明:服务端端口状态RE表示建立并可以相互通讯,E只表示建立了,但是相互还不能通信。
r1#sh crypto isakmp sa //查看阶段1的×××状态
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1004 0 ACTIVE
16.16.16.1 36.36.36.11 QM_IDLE 1005 0 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 16.16.16.1
//以下这是R1与分公司R3建立的ipsec信息
protected vrf: (none)
local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (36.36.36.11/255.255.255.255/47/0)
current_peer 36.36.36.11 port 500
PERMIT, flags={origin_is_acl,}
//如果eigrp或者ospf宣告了外网路由的话,这里的包数目大的惊人,本实验中我也是一直纠结在这个地方了,数据包会数以千计每秒的发!!
#pkts encaps: 655, #pkts encrypt: 655, #pkts digest: 655 //显示数据包封装、加密包数
#pkts decaps: 637, #pkts decrypt: 637, #pkts verify: 637 //显示数据解封装数
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 36.36.36.11
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x22777EBC(578256572)
inbound esp sas:
spi: 0xFD9D2BBA(4254935994)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 11, flow_id: 11, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482964/800)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x22777EBC(578256572)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 12, flow_id: 12, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482961/799)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
//以下是总公司与分公司R2之间建立的ipsec
protected vrf: (none)
local ident (addr/mask/prot/port): (16.16.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (26.26.26.2/255.255.255.255/47/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 660, #pkts encrypt: 660, #pkts digest: 660
#pkts decaps: 646, #pkts decrypt: 646, #pkts verify: 646
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x6534D52F(1697961263)
inbound esp sas:
spi: 0xAF5F100C(2942242828)
transform: esp-3des esp-sha-hmac , //转换集的信息
in use settings ={Transport, } //传输模式
conn id: 7, flow_id: 7, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4418390/788)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6534D52F(1697961263)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 8, flow_id: 8, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4418386/788)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE //状态为active
outbound ah sas:
outbound pcp sas:
实验注意事项和总结:
如果实验中仍出现eigrp邻居状态不稳定的情况下,可以尝试shutdown所有tunnel,然后先no shut HUB端,再no shut SPOKE端。
查看路由表也可以发现相互之间都学到了内网路由,如果HUB没有关闭水平分割的话,R2和R3之间就学习不到相互的路由,自然就无法通信。
如果HUB没有配置ip next-hop-self eigrp 1,路由表中的下一跳就不会改变,R2学到R3的路由下一跳是指向123.123.123.1(即总公司R1的tunnel口),不能实现SPOKE TO SPOKE通信,R2和R3必须通过R1才能通信。
如果运行的是ospf路由协议,由于没有如上所说的属性,自然无法实现SPOKE TO SPOKE之间的通信。
删掉之前配置的eigrp,配置ospf,宣告tunnel地址和内网地址,如果运行ospf交换内网信息的话,在通道下配置上ip ospf network point-tomultipoint是必须的。否则邻居关系很不稳定
查看分公司路由表
以R2为例:
r2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 123.123.123.1, 00:00:24, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/22223] via 123.123.123.1, 00:00:24, Tunnel0
123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 123.123.123.3/32 [110/22222] via 123.123.123.1, 00:00:24, Tunnel0
O 123.123.123.1/32 [110/11111] via 123.123.123.1, 00:00:24, Tunnel0
到达分公司R3的下一跳指向R1,所以R2只能通过R1才能和R3通信,加大了HUB的负载!
r2#traceroute 3.3.3.3 source 2.2.2.2
流量先经过R1的转发才到了R3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
1 123.123.123.1 12 msec 24 msec 12 msec
2 123.123.123.3 20 msec * 36 msec