<b>dynamic multipoint ×××</b>
一、配置hub-to-spoke tunnel 通信模式
先按照拓撲圖配置好ip,預設路由,dhcp。
hub:
r1(config)#crypto isakmp policy 1
r1(config-isakmp)#en 3
r1(config-isakmp)#au p
r1(config-isakmp)#ha s
r1(config-isakmp)#gr 2
r1(config-isakmp)#ex
r1(config)#cry isakmp key 0 cisco123 add 0.0.0.0 0.0.0.0
r1(config)#cry ipsec trans myset esp-3des esp-sha-hmac
r1(cfg-crypto-trans)#ex
r1(config)#cry ipsec profile cisco
r1(ipsec-profile)#set trans myset
r1(ipsec-profile)#ex
r1(config)#interface tunnel 1
r1(config-if)#bandwidth 1000
r1(config-if)#ip add 123.123.123.1 255.255.255.0
r1(config-if)#ip mtu 1400
r1(config-if)#no ip redirects
r1(config-if)#ip nhrp authentication ccie
r1(config-if)#ip nhrp map multicast dynamic
r1(config-if)#ip nhrp network-id 10
r1(config-if)#no ip split-horizon eigrp 1
r1(config-if)#tunnel source f0/1
r1(config-if)#tunnel mode gre multipoint
r1(config-if)#tunnel key
*nov 1 20:22:59.571: %lineproto-5-updown: line protocol on interface tunnel1, changed state to up
r1(config-if)#tunnel key 10000
r1(config-if)#tunnel protection ipsec profile cisco
r1(config-if)#
*nov 1 20:23:40.239: %crypto-6-isakmp_on_off: isakmp is on
spoke:
r3(config)#cry isakmp policy 1
r3(config-isakmp)#en 3
r3(config-isakmp)#au p
r3(config-isakmp)#gr 2
r3(config-isakmp)#ha s
r3(config-isakmp)#ex
r3(config)#cry isakmp key 0 cisco123 add 16.16.16.1
r3(config)#cry ipsec trans myset esp-3 esp-sha-h
r3(cfg-crypto-trans)#ex
r3(config)#crypto ipsec profile cisco
r3(ipsec-profile)#set trans myset
r3(ipsec-profile)#ex
r3(config)#int tunnel 3
r3(config-if)#bandwidth 1000
r3(config-if)#ip add 123.123.123.3 255.255.255.0
r3(config-if)#no ip re
r3(config-if)#no ip redirects
r3(config-if)#ip mtu 1400
r3(config-if)#ip nhrp authentication ccie
r3(config-if)#ip nhrp map multicast dynamic
r3(config-if)#ip nhrp map 123.123.123.1 16.16.16.1
r3(config-if)#ip nhrp map multicast 16.16.16.1
r3(config-if)#ip nhrp net
r3(config-if)#ip nhrp network-id 10
r3(config-if)#ip nhrp nhs
r3(config-if)#ip nhrp nhs 123.123.123.1
r3(config-if)#tunnel source f0/1
r3(config-if)#tunnel mode gre multipoint
r3(config-if)#tunnel key 10000
r3(config-if)#tunnel protection ipsec profile cisco
r3(config-if)#
r2配置同r3。
驗證:
r1#ping 123.123.123.3
type escape sequence to abort.
sending 5, 100-byte icmp echos to 123.123.123.3, timeout is 2 seconds:
!!!!!
success rate is 100 percent (5/5), round-trip min/avg/max = 440/531/588 ms
r1#show ip nhrp brief
target via nbma mode intfc claimed
123.123.123.3/32 123.123.123.3 36.36.36.1 dynamic tu1 < >
r1#
r1#show cry isakmp peers
peer: 36.36.36.1 port: 500 local: 16.16.16.1
phase1 id: 36.36.36.1
r3#show ip nhrp bri
123.123.123.1/32 123.123.123.1 16.16.16.1 static tu3 < >
r3#
r3#show cry isakmp peers
peer: 16.16.16.1 port: 500 local: 36.36.36.1
phase1 id: 16.16.16.1
在r1、r3上配置eigrp:
r1(config)#router eigrp 1
r1(config-router)#net 15.0.0.0
r1(config-router)#net 123.0.0.0
r1(config-router)#no au
r1(config-router)#
*nov 1 20:55:39.539: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 123.123.123.3 (tunnel1) is up: new adjacency
*nov 1 20:55:46.283: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 123.123.123.3 (tunnel1) is resync: peer graceful-restart
r3(config)#router eigrp 1
r3(config-router)#net 3.0.0.0
r3(config-router)#net 123.0.0.0
r3(config-router)#
*nov 1 20:55:38.411: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 123.123.123.1 (tunnel3) is up: new adjacency
r3(config-router)#no au
*nov 1 20:55:45.103: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 123.123.123.1 (tunnel3) is resync: summary configured
r5(config)#router eigrp 1
r5(config-router)#net 15.0.0.0
r5(config-router)#ne
*nov 1 20:59:04.787: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 15.15.15.1 (fastethernet0/0) is up: new adjacency
r5(config-router)#net 5.0.0.0
r5(config-router)#no au
r5(config-router)#
*nov 1 20:59:15.039: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 15.15.15.1 (fastethernet0/0) is resync: summary configured
檢視eigrp令居以及路由表:
r1#show ip eigrp nei
ip-eigrp neighbors for process 1
h address interface hold uptime srtt rto q seq
(sec) (ms) cnt num
1 15.15.15.5 fa0/0 12 00:00:40 300 1800 0 8
0 123.123.123.3 tu1 12 00:04:06 834 5000 0 10
r1#show ip route
gateway of last resort is 0.0.0.0 to network 0.0.0.0
16.0.0.0/24 is subnetted, 1 subnets
c 16.16.16.0 is directly connected, fastethernet0/1
3.0.0.0/24 is subnetted, 1 subnets
d 3.3.3.0 [90/15488000] via 123.123.123.3, 00:04:20, tunnel1
5.0.0.0/24 is subnetted, 1 subnets
d 5.5.5.0 [90/156160] via 15.15.15.5, 00:00:51, fastethernet0/0
123.0.0.0/24 is subnetted, 1 subnets
c 123.123.123.0 is directly connected, tunnel1
15.0.0.0/24 is subnetted, 1 subnets
c 15.15.15.0 is directly connected, fastethernet0/0
s* 0.0.0.0/0 is directly connected, fastethernet0/1
r3#show ip route
gateway of last resort is 36.36.36.6 to network 0.0.0.0
c 3.3.3.0 is directly connected, loopback0
d 5.5.5.0 [90/15490560] via 123.123.123.1, 00:01:39, tunnel3
36.0.0.0/24 is subnetted, 1 subnets
c 36.36.36.0 is directly connected, fastethernet0/1
c 123.123.123.0 is directly connected, tunnel3
d 15.15.15.0 [90/15362560] via 123.123.123.1, 00:05:13, tunnel3
s* 0.0.0.0/0 [254/0] via 36.36.36.6
r3#show ip eigrp nei
0 123.123.123.1 tu3 13 00:06:22 960 5000 0 20
測試:
r5#ping 3.3.3.3
sending 5, 100-byte icmp echos to 3.3.3.3, timeout is 2 seconds:
success rate is 100 percent (5/5), round-trip min/avg/max = 752/792/844 ms
r5#traceroute 3.3.3.3
tracing the route to 3.3.3.3
1 15.15.15.1 132 msec 212 msec 236 msec
2 123.123.123.3 748 msec 768 msec 760 msec
r5#
二、配置spoke-to-spoke 通信模式
r1(config)#int tunnel 1
r1(config-if)#no ip ne
r1(config-if)#no ip next-hop-self ?
eigrp enhanced interior gateway routing protocol (eigrp)
r1(config-if)#no ip next-hop-self eigrp 1
r2測試;
r2#traceroute 5.5.5.5
tracing the route to 5.5.5.5
1 123.123.123.1 512 msec * 500 msec
2 15.15.15.5 788 msec 900 msec 652 msec
r2#show ip route eigrp
d 3.3.3.0 [90/28288000] via 123.123.123.3, 00:17:19, tunnel2
d 5.5.5.0 [90/15490560] via 123.123.123.1, 00:17:09, tunnel2
d 15.15.15.0 [90/15362560] via 123.123.123.1, 00:17:09, tunnel2
r2#
r2#show ip nhrp
123.123.123.1/32 via 123.123.123.1, tunnel2 created 00:43:25, never expire
type: static, flags: nat used
nbma address: 16.16.16.1
r2測不出來到r3的連接配接
r3測試:
r3#traceroute 5.5.5.5
1 123.123.123.1 580 msec 616 msec 532 msec
2 15.15.15.5 888 msec 732 msec 824 msec
r3#show ip rout eigrp
2.0.0.0/24 is subnetted, 1 subnets
d 2.2.2.0 [90/28288000] via 123.123.123.2, 00:18:56, tunnel3
d 5.5.5.0 [90/15490560] via 123.123.123.1, 00:19:07, tunnel3
d 15.15.15.0 [90/15362560] via 123.123.123.1, 00:19:07, tunnel3
r3#show ip nhrp
123.123.123.1/32 via 123.123.123.1, tunnel3 created 01:36:10, never expire
123.123.123.2/32 via 123.123.123.2, tunnel3 created 00:17:06, expire 01:55:10
type: dynamic, flags: router nat implicit
nbma address: 26.26.26.1
r3#show ip nhrp brief
123.123.123.2/32 123.123.123.2 26.26.26.1 dynamic tu3 < >
r3上卻能檢視到r2的連接配接。
這個結果很郁悶。。。。希望高手指點。
r2#ping 3.3.3.3
.....
success rate is 0 percent (0/5)
r3#ping 2.2.2.2
sending 5, 100-byte icmp echos to 2.2.2.2, timeout is 2 seconds:
r3#traceroute 2.2.2.2
tracing the route to 2.2.2.2
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
三、測試dm×××中的ospf:
在所有路由器上将eigrp改為ospf
r5(config)#no router eigrp 1
*nov 1 22:14:04.519: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 15.15.15.1 (fastethernet0/0) is down: interface down
r5(config)#router ospf 1
r5(config-router)#net 5.5.5.5 0.0.0.0 area 0
r5(config-router)#net 15.15.15.0 0.0.0.255 area 0
r5(config-router)#ex
r1(config)#no router eigrp 1
*nov 1 22:16:04.383: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 123.123.123.2 (tunnel1) is down: interface down
*nov 1 22:16:04.399: %dual-5-nbrchange: ip-eigrp(0) 1: neighbor 123.123.123.3 (tunnel1) is down: interface down
r1(config)#router ospf 1
r1(config-router)#net 16.16.16.0 0.0.0.255 area 0
r1(config-router)#net 15.15.15.0 0.0.0.255 area 0
r1(config-router)#net 123.123.123.0 0.0.0.255 area 0
r2(config)#no router eigrp 1
r2(config)#router ospf 1
r2(config-router)#net 2.2.2.2 0.0.0.0 area 0
r2(config-router)#net 123.123.123.0 0.0.0.255 area 0
r2(config-router)#ex
r3(config)#no router eigrp 1
r3(config)#router ospf 1
r3(config-router)#net 3.3.3.3 0.0.0.0 area 0
r3(config-router)#net 123.123.123.0 0.0.0.255 area 0
結果ospf令居up and down :
*nov 1 22:18:51.923: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from loading to full, loading done
*nov 1 22:19:35.071: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from full to down, neighbor down: dead timer expired
*nov 1 22:19:48.391: %crypto-4-pkt_replay_err: decrypt: replay check failed
connection id=3, sequence number=8504
*nov 1 22:19:48.587: %crypto-4-recvd_pkt_mac_err: decrypt: mac verify failed for connection id=3
*nov 1 22:19:55.363: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from loading to full, loading done
*nov 1 22:20:01.783: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from full to down, neighbor down: adjacency forced to reset
*nov 1 22:20:05.415: %ospf-5-adjchg: process 1, nbr 3.3.3.3 on tunnel1 from loading to full, loading done
*nov 1 22:20:23.315: %ospf-5-adjchg: process 1, nbr 3.3.3.3 on tunnel1 from full to down, neighbor down: adjacency forced to reset
*nov 1 22:20:26.119: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from loading to full, loading done
*nov 1 22:20:31.655: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from full to down, neighbor down: adjacency forced to reset
*nov 1 22:20:34.219: %ospf-5-adjchg: process 1, nbr 3.3.3.3 on tunnel1 from loading to full, loading done
*nov 1 22:20:48.407: %crypto-4-pkt_replay_err: decrypt: replay check failed
connection id=3, sequence number=13476
*nov 1 22:20:49.107: %crypto-4-recvd_pkt_mac_err: decrypt: mac verify failed for connection id=3
*nov 1 22:21:07.419: %ospf-5-adjchg: process 1, nbr 3.3.3.3 on tunnel1 from full to down, neighbor down: adjacency forced to reset
*nov 1 22:21:10.543: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from loading to full, loading done
這是因為ospf預設把mgre接口定義為point-to-point類型。
需要在所有路由器mgre接口上把網絡類型改為point-to-multipoint :
r1(config-if)#ip ospf network point-to-multipoint
r2(config)#int tunnel 2
r2(config-if)#ip ospf net point-to-multipoint
r3(config-if)#ip ospf network point-to-multipoint
結果不理想:
*nov 1 22:33:27.695: %ospf-5-adjchg: process 1, nbr 123.123.123.1 on tunnel3 from loading to full, loading done
*nov 1 22:35:59.115: %ospf-5-adjchg: process 1, nbr 123.123.123.1 on tunnel3 from loading to full, loading done
*nov 1 22:38:46.499: %ospf-5-adjchg: process 1, nbr 123.123.123.1 on tunnel3 from loading to full, loading done
r3#ping 5.5.5.5
sending 5, 100-byte icmp echos to 5.5.5.5, timeout is 2 seconds:
1 36.36.36.6 288 msec 300 msec 196 msec
2 36.36.36.6 !h * !h
*nov 1 22:41:44.091: %ospf-5-adjchg: process 1, nbr 123.123.123.1 on tunnel3 from loading to full, loading done
r2#traceroute 3.3.3.3
1 26.26.26.6 252 msec 192 msec 328 msec
2 26.26.26.6 !h * !h
1 26.26.26.6 188 msec 192 msec 192 msec
2 26.26.26.6 !h * *
r2#ping 5.5.5.5
*nov 1 22:47:53.507: %ospf-5-adjchg: process 1, nbr 2.2.2.2 on tunnel1 from loading to full, loading done
*nov 1 22:49:26.363: %ospf-5-adjchg: process 1, nbr 3.3.3.3 on tunnel1 from full to down, neighbor down: dead timer expired
r1#ping 3.3.3.3
可知:ospf下無法實作spoke to spoke tunnel的通信方式。
至于r1和r2、r3之間的ospf通信問題。有待深究,難道是ospf密碼配置不當???
![java.net.connectexception:connection timed out[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)