DMVPN – Designs
23 2 月, 2014,由 frank撰写
在BRKSE-4054中,对于DMVPN的design做了详细介绍,我这里只是逐一把常用的designs罗列一下,做一个索引,日后有更深的理解,在这里加说明,其实对于每种designs,都需要根据客户的流量做详细测试,另外本文将对两种场景做简单测试,一个是单DMVPN域,双hub;另一个是层次化的DMVPN。
几种常见的部署
1. 双DMVPN域,单hub,每个spoke双p-GRE,Phase1
点评:所有流量都需要经过hub,spoke之间不能建立tunnel,所以两个DMVPN域间的流量分担会更好部署些,特别是两个域都属于不同的ISP
2. 单DMVPN域,双hub,每个spoke单m-GRE,Phase2
点评:适合spoke与spoke之间需要交互大量流量的模型,减轻hub的负担
3. 混合design之双ISP,Phase3
4. 层次化部署,Phase3
双hub单DMVPN域简单测试
Topology
基础配置
下面是hub的配置,由于两个hub配置一样,所以只列出hub-1:
hub-1#sh run int tun0 Building configuration... Current configuration : 361 bytes ! interface Tunnel0 ip address 172.16.1.100 255.255.255.0 no ip redirects ip mtu 1400 no ip split-horizon eigrp 100 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 10 ip nhrp redirect ip summary-address eigrp 100 192.168.0.0 255.255.0.0 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 12345 end
下面是spoke的配置,同上,只列出spoke1:
spoke1#sh run int tun0 Building configuration... Current configuration : 429 bytes ! interface Tunnel0 ip address 172.16.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco ip nhrp map 172.16.1.100 13.1.1.1 ip nhrp map multicast 13.1.1.1 ip nhrp map 172.16.1.200 23.1.1.2 ip nhrp map multicast 23.1.1.2 ip nhrp network-id 10 ip nhrp nhs 172.16.1.100 ip nhrp nhs 172.16.1.200 ip nhrp shortcut tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 12345
注意:在配置DMVPN时,一定要清楚所有的前提都需要spoke知道谁是hub,这样tunnel才能起来,后面的路由及ipsec才能工作
路由及NHRP信息
从下面可以看到从spoke到hub有两条路,分别是hub-1和hub-2,此时spoke到hub的任何流量都会基于per-destination进行负载分担,如果一个hub down了,另一个hub仍然可以承担解析工作。
spoke1#sh ip eigrp nei
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.1.200 Tu0 11 00:19:44 30 1362 0 47
0 172.16.1.100 Tu0 13 00:19:46 11 1398 0 103
spoke1#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 192.168.0.0/16 [90/27008000] via 172.16.1.200, 00:19:46, Tunnel0
[90/27008000] via 172.16.1.100, 00:19:46, Tunnel0
spoke1#show ip route nhrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
H 172.16.1.2/32 is directly connected, 00:22:13, Tunnel0
H 192.168.2.0/24 [250/1] via 172.16.1.2, 00:22:13, Tunnel0
spoke1#sh ip nhrp
172.16.1.1/32 via 172.16.1.1
Tunnel0 created 00:17:07, expire 01:42:52
Type: dynamic, Flags: router unique local
NBMA address: 35.1.1.5
(no-socket)
172.16.1.2/32 via 172.16.1.2
Tunnel0 created 00:17:07, expire 01:42:52
Type: dynamic, Flags: router used nhop rib
NBMA address: 36.1.1.6
172.16.1.100/32 via 172.16.1.100
Tunnel0 created 00:19:46, never expire
Type: static, Flags: used
NBMA address: 13.1.1.1
172.16.1.200/32 via 172.16.1.200
Tunnel0 created 00:19:46, never expire
Type: static, Flags: used
NBMA address: 23.1.1.2
192.168.1.0/24 via 172.16.1.1
Tunnel0 created 00:17:04, expire 01:42:55
Type: dynamic, Flags: router unique local
NBMA address: 35.1.1.5
(no-socket)
192.168.2.0/24 via 172.16.1.2
Tunnel0 created 00:17:07, expire 01:42:52
Type: dynamic, Flags: router rib
NBMA address: 36.1.1.6
spoke1#sh ip cef 192.168.0.0/16 int
192.168.0.0/16, epoch 0, RIB[I], refcnt 5, per-destination sharing
sources: RIB
feature space:
IPRM: 0x00028000
ifnums:
Tunnel0(9): 172.16.1.100, 172.16.1.200
path list 0B5A9414, 3 locks, per-destination, flags 0x49 [shble, rif, hwcn]
path 0D5D00F8, share 1/1, type attached nexthop, for IPv4
nexthop 172.16.1.100 Tunnel0, IP midchain out of Tunnel0, addr 172.16.1.100 0D6856D0
path 0D5D0168, share 1/1, type attached nexthop, for IPv4
nexthop 172.16.1.200 Tunnel0, IP midchain out of Tunnel0, addr 172.16.1.200 0C262D48
output chain:
loadinfo 0BF9F6A4, per-session, 2 choices, flags 0083, 5 locks
flags [Per-session, for-rx-IPv4, 2buckets]
2 hash buckets
< 0 > IP midchain out of Tunnel0, addr 172.16.1.100 0D6856D0
IP adj out of GigabitEthernet0/1, addr 35.1.1.3 0C262E78
< 1 > IP midchain out of Tunnel0, addr 172.16.1.200 0C262D48
IP adj out of GigabitEthernet0/1, addr 35.1.1.3 0C262E78
Subblocks:
None
Hierachical DMVPN Test
Topology
此测试是在上面测试的基础上又扩充了两个区域spoke,如上图所示,分别是R7和R8。根据topology,所有路由器都在同一个DMVPN域中,其中两个核心hub分别是r1-hub-1和r2-hub-2。而对于r5-spoke1的角色,可以看成一个省的核心,也就是次核心,次核心下面在挂着地市的分支机构,如r7-sub-spoke。这样设计,所有控制流量都会经全网核心r1和r2中转。r1向他的spoke发送汇总路由,而次级核心向他的spoke发送默认路由。另外测试点分别为r7下面的10.10.10.1/24,r8下面的20.20.20.1/24
1. 下面是R5,R7的配置,路由略
r5-spoke1#sh run int tun2 Building configuration... Current configuration : 350 bytes ! interface Tunnel2 ip address 172.16.2.1 255.255.255.0 no ip redirects ip mtu 1400 no ip split-horizon eigrp 100 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 10 ip nhrp redirect ip summary-address eigrp 100 0.0.0.0 0.0.0.0 tunnel source GigabitEthernet0/2 tunnel mode gre multipoint tunnel key 6789 end r7-sub-spoke1#sh run int tun0 Building configuration... Current configuration : 331 bytes ! interface Tunnel0 ip address 172.16.2.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco ip nhrp map 172.16.2.1 57.1.1.5 ip nhrp map multicast 57.1.1.5 ip nhrp network-id 10 ip nhrp nhs 172.16.2.1 ip nhrp shortcut tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 6789 end
2. 下面是r6,r8的配置,路由略
r6-spoke2#sh run int tun2 Building configuration... Current configuration : 350 bytes ! interface Tunnel2 ip address 172.16.3.1 255.255.255.0 no ip redirects ip mtu 1400 no ip split-horizon eigrp 100 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 10 ip nhrp redirect ip summary-address eigrp 100 0.0.0.0 0.0.0.0 tunnel source GigabitEthernet0/2 tunnel mode gre multipoint tunnel key 6789 end r8-sub-spoke2#sh run int tun0 Building configuration... Current configuration : 331 bytes ! interface Tunnel0 ip address 172.16.3.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco ip nhrp map 172.16.3.1 68.1.1.6 ip nhrp map multicast 68.1.1.6 ip nhrp network-id 10 ip nhrp nhs 172.16.3.1 ip nhrp shortcut tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 6789 end
3. 根据现有的配置,发现一个很有意思的问题,就是流量是通的,因为流量经过r1和r2,核心上有全网明细路由,但r7和r8不能建立直接的关系,这是为什么?看下debug信息,发现r5和r6都收到了r1发送的redirect报文,但是感觉收到后没有向r7和r8转发,这是什么情况?流程如图所示:
r5的“debug nhrp pack”
*Feb 23 10:07:38.344: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 97 *Feb 23 10:07:38.344: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Feb 23 10:07:38.344: shtl: 4(NSAP), sstl: 0(NSAP) *Feb 23 10:07:38.344: pktsz: 97 extoff: 68 *Feb 23 10:07:38.344: (M) traffic code: redirect(0) *Feb 23 10:07:38.344: src NBMA: 13.1.1.1 *Feb 23 10:07:38.344: src protocol: 172.16.1.100, dst protocol: 172.16.2.2 *Feb 23 10:07:38.344: Contents of nhrp traffic indication packet: *Feb 23 10:07:38.344: 45 00 00 64 00 66 00 00 FD 01 E7 0B AC 10 02 02 *Feb 23 10:07:38.344: 14 14 14 01 08 00 FD 0B 00 2D 00 <<< 20.20.20.1
r6的“debug nhrp pack”
*Feb 23 09:40:14.269: NHRP: Receive Traffic Indication via Tunnel0 vrf 0, packet size: 97 *Feb 23 09:40:14.269: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1 *Feb 23 09:40:14.269: shtl: 4(NSAP), sstl: 0(NSAP) *Feb 23 09:40:14.269: pktsz: 97 extoff: 68 *Feb 23 09:40:14.269: (M) traffic code: redirect(0) *Feb 23 09:40:14.269: src NBMA: 13.1.1.1 *Feb 23 09:40:14.269: src protocol: 172.16.1.100, dst protocol: 20.20.20.1 *Feb 23 09:40:14.269: Contents of nhrp traffic indication packet: *Feb 23 09:40:14.269: 45 00 00 64 00 66 00 00 FD 01 E7 0B 14 14 14 01 *Feb 23 09:40:14.269: AC 10 02 02 00 00 05 0C 00 2D 00 <<< 172.16.2.2
4. 难道redirect报文只能最终发起者收到才能起效果,并触发NHRP Request?这个redirect报文无法在中间的spoke上做转发么?spoke设备收到redirect后,如果要转发,它自身必须支持redirect?好吧,在r5上加上redirect命令,然后从r7上ping一个包看看,发现ok了!
下面是r7-sub-spoke的NHRP信息:
sub-spoke1#sh ip nhrp
10.10.10.0/24 via 172.16.2.2
Tunnel0 created 00:04:01, expire 01:56:56
Type: dynamic, Flags: router unique local
NBMA address: 57.1.1.7
(no-socket)
20.20.20.0/24 via 172.16.3.2
Tunnel0 created 00:09:21, expire 01:50:38
Type: dynamic, Flags: router rib
NBMA address: 68.1.1.8
172.16.1.2/32 via 172.16.1.2
Tunnel0 created 00:04:55, expire 01:55:04
Type: dynamic, Flags: router used nhop rib
NBMA address: 36.1.1.6
172.16.2.1/32 via 172.16.2.1
Tunnel0 created 03:50:10, never expire
Type: static, Flags: used
NBMA address: 57.1.1.5
172.16.2.2/32 via 172.16.2.2
Tunnel0 created 00:09:21, expire 01:55:04
Type: dynamic, Flags: router unique local
NBMA address: 57.1.1.7
(no-socket)
172.16.3.2/32 via 172.16.3.2
Tunnel0 created 00:09:21, expire 01:50:38
Type: dynamic, Flags: router nhop rib
NBMA address: 68.1.1.8
sub-spoke1#sh ip route nhrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.2.1 to network 0.0.0.0
20.0.0.0/24 is subnetted, 1 subnets
H 20.20.20.0 [250/1] via 172.16.3.2, 00:10:24
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
H 172.16.1.2/32 is directly connected, 00:05:58, Tunnel0
H 172.16.3.2/32 is directly connected, 00:10:24, Tunnel0
5. Ok,目前为止已经实现了r7和r8独立通信,那么r7能否和r6通信呢?如图所示:
测试了下,发现从r7 ping r6的192.168.2.1,开始通,后来就不通了,这是为什么?开始通是经过hub转发,后来不通估计NHRP已经解析到地址了…
192.168.2.0/24 via 172.16.1.2
Tunnel0 created 00:16:29, expire 01:43:30
Type: dynamic, Flags: router rib
NBMA address: 36.1.1.6
r7-sub-spoke1#sh ip cef 192.168.2.1 int
192.168.2.0/24, epoch 0, flags [rnolbl, rlbls], RIB[O], refcnt 5, per-destination sharing
sources: RIB
feature space:
IPRM: 0x00058000
ifnums:
Tunnel0(7): 172.16.1.2
path list 0D9BF3BC, 3 locks, per-destination, flags 0x69 [shble, rif, rcrsv, hwcn]
path 0D560278, share 1/1, type recursive, for IPv4
recursive via 172.16.1.2[IPv4:Default], fib 0CE1B5AC, 1 terminal fib, v4:Default:172.16.1.2/32
path list 0D9BF31C, 3 locks, per-destination, flags 0x49 [shble, rif, hwcn]
path 0D560198, share 1/1, type attached nexthop, for IPv4
nexthop 172.16.1.2 Tunnel0, IP midchain out of Tunnel0, addr 172.16.1.2 0C1F5600
output chain:
IP midchain out of Tunnel0, addr 172.16.1.2 0C1F5600
IP adj out of GigabitEthernet0/1, addr 57.1.1.5 0C626FF8
6. 通过抓包,发现数据包已经正常转到r6了,r6上发生了什么?
7. 现在唯一能想到的就是r6 GRE的key跟r7的不一样,好吧,改下试试,发现ok了,r7,r5没有改变任何信息,此时测试结束。