Dynamicmultipoint×××一、配置hub-to-spoketunnel通信模式先按照拓扑图配置好IP,默认路由,DHCP。Hub:R1(config)#cryptoisakmppolic
.
..
Dynamic multipoint ×××.. .
.一、配置hub-to-spoke tunnel 通信模式..先按照拓扑图配置好IP,默认路由,DHCP。..Hub:..R1(config)#crypto isakmp policy 1..R1(config-isakmp)#en 3..R1(config-isakmp)#au p..R1(config-isakmp)#ha s..R1(config-isakmp)#gr 2..R1(config-isakmp)#ex..R1(config)#cry isakmp key 0 cisco123 add 0.0.0.0 0.0.0.0..R1(config)#cry ipsec trans myset esp-3des esp-sha-hmac..R1(cfg-crypto-trans)#ex..R1(config)#cry ipsec profile cisco..R1(ipsec-profile)#set trans myset..R1(ipsec-profile)#ex..R1(config)#interface tunnel 1..R1(config-if)#bandwidth 1000..R1(config-if)#ip add 123.123.123.1 255.255.255.0..R1(config-if)#ip mtu 1400..R1(config-if)#no ip redirects..R1(config-if)#ip nhrp authentication ccie..R1(config-if)#ip nhrp map multicast dynamic..R1(config-if)#ip nhrp network-id 10..R1(config-if)#no ip split-horizon eigrp 1..R1(config-if)#tunnel source f0/1..R1(config-if)#tunnel mode gre multipoint..R1(config-if)#tunnel key..*Nov 1 20:22:59.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up..R1(config-if)#tunnel key 10000..R1(config-if)#tunnel protection ipsec profile cisco..R1(config-if)#..R1(config-if)#..*Nov 1 20:23:40.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON..R1(config-if)#..Spoke:..R3(config)#cry isakmp policy 1..R3(config-isakmp)#en 3..R3(config-isakmp)#au p..R3(config-isakmp)#gr 2..R3(config-isakmp)#ha s..R3(config-isakmp)#ex..R3(config)#cry isakmp key 0 cisco123 add 16.16.16.1..R3(config)#cry ipsec trans myset esp-3 esp-sha-h..R3(cfg-crypto-trans)#ex..R3(config)#crypto ipsec profile cisco..R3(ipsec-profile)#set trans myset..R3(ipsec-profile)#ex..R3(config)#int tunnel 3..R3(config-if)#bandwidth 1000..R3(config-if)#ip add 123.123.123.3 255.255.255.0..R3(config-if)#no ip re..R3(config-if)#no ip redirects..R3(config-if)#ip mtu 1400..R3(config-if)#ip nhrp authentication ccie..R3(config-if)#ip nhrp map multicast dynamic..R3(config-if)#ip nhrp map 123.123.123.1 16.16.16.1..R3(config-if)#ip nhrp map multicast 16.16.16.1..R3(config-if)#ip nhrp net..R3(config-if)#ip nhrp network-id 10..R3(config-if)#ip nhrp nhs..R3(config-if)#ip nhrp nhs 123.123.123.1..R3(config-if)#tunnel source f0/1..R3(config-if)#tunnel mode gre multipoint..R3(config-if)#tunnel key 10000..R3(config-if)#tunnel protection ipsec profile cisco..R3(config-if)#..R2配置同R3。..验证:..R1#ping 123.123.123.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 123.123.123.3, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 440/531/588 ms..R1#show ip nhrp brief.. Target Via NBMA Mode Intfc Claimed..123.123.123.3/32 123.123.123.3 36.36.36.1 dynamic Tu1 < >..R1#..R1#show cry isakmp peers..Peer: 36.36.36.1 Port: 500 Local: 16.16.16.1.. Phase1 id: 36.36.36.1..R3#show ip nhrp bri.. Target Via NBMA Mode Intfc Claimed..123.123.123.1/32 123.123.123.1 16.16.16.1 static Tu3 < >..R3#..R3#show cry isakmp peers..Peer: 16.16.16.1 Port: 500 Local: 36.36.36.1.. Phase1 id: 16.16.16.1..R3#..在R1、R3上配置EIGRP:..R1(config)#router eigrp 1..R1(config-router)#net 15.0.0.0..R1(config-router)#net 123.0.0.0..R1(config-router)#no au..R1(config-router)#..*Nov 1 20:55:39.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.3 (Tunnel1) is up: new adjacency..R1(config-router)#..*Nov 1 20:55:46.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.3 (Tunnel1) is resync: peer graceful-restart..R1(config-router)#..R3(config)#router eigrp 1..R3(config-router)#net 3.0.0.0..R3(config-router)#net 123.0.0.0..R3(config-router)#..*Nov 1 20:55:38.411: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.1 (Tunnel3) is up: new adjacency..R3(config-router)#no au..R3(config-router)#..*Nov 1 20:55:45.103: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.1 (Tunnel3) is resync: summary configured..R3(config-router)#..R5(config)#router eigrp 1..R5(config-router)#net 15.0.0.0..R5(config-router)#ne..*Nov 1 20:59:04.787: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 15.15.15.1 (FastEthernet0/0) is up: new adjacency..R5(config-router)#net 5.0.0.0..R5(config-router)#no au..R5(config-router)#..*Nov 1 20:59:15.039: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 15.15.15.1 (FastEthernet0/0) is resync: summary configured..R5(config-router)#..查看EIGRP令居以及路由表:..R1#show ip eigrp nei..IP-EIGRP neighbors for process 1..H Address Interface Hold Uptime SRTT RTO Q Seq.. (sec) (ms) Cnt Num..1 15.15.15.5 Fa0/0 12 00:00:40 300 1800 0 8..0 123.123.123.3 Tu1 12 00:04:06 834 5000 0 10..R1#..R1#show ip route..Gateway of last resort is 0.0.0.0 to network 0.0.0.0.. 16.0.0.0/24 is subnetted, 1 subnets..C 16.16.16.0 is directly connected, FastEthernet0/1.. 3.0.0.0/24 is subnetted, 1 subnets..D 3.3.3.0 [90/15488000] via 123.123.123.3, 00:04:20, Tunnel1.. 5.0.0.0/24 is subnetted, 1 subnets..D 5.5.5.0 [90/156160] via 15.15.15.5, 00:00:51, FastEthernet0/0.. 123.0.0.0/24 is subnetted, 1 subnets..C 123.123.123.0 is directly connected, Tunnel1.. 15.0.0.0/24 is subnetted, 1 subnets..C 15.15.15.0 is directly connected, FastEthernet0/0..S* 0.0.0.0/0 is directly connected, FastEthernet0/1..R1#..R3#show ip route..Gateway of last resort is 36.36.36.6 to network 0.0.0.0.. 3.0.0.0/24 is subnetted, 1 subnets..C 3.3.3.0 is directly connected, Loopback0.. 5.0.0.0/24 is subnetted, 1 subnets..D 5.5.5.0 [90/15490560] via 123.123.123.1, 00:01:39, Tunnel3.. 36.0.0.0/24 is subnetted, 1 subnets..C 36.36.36.0 is directly connected, FastEthernet0/1.. 123.0.0.0/24 is subnetted, 1 subnets..C 123.123.123.0 is directly connected, Tunnel3.. 15.0.0.0/24 is subnetted, 1 subnets..D 15.15.15.0 [90/15362560] via 123.123.123.1, 00:05:13, Tunnel3..S* 0.0.0.0/0 [254/0] via 36.36.36.6..R3#..R3#show ip eigrp nei..IP-EIGRP neighbors for process 1..H Address Interface Hold Uptime SRTT RTO Q Seq.. (sec) (ms) Cnt Num..0 123.123.123.1 Tu3 13 00:06:22 960 5000 0 20..R3#..测试:..R5#ping 3.3.3.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 752/792/844 ms..R5#traceroute 3.3.3.3..Type escape sequence to abort...Tracing the route to 3.3.3.3.. 1 15.15.15.1 132 msec 212 msec 236 msec.. 2 123.123.123.3 748 msec 768 msec 760 msec..R5#..二、配置spoke-to-spoke 通信模式..R1(config)#int tunnel 1..R1(config-if)#no ip ne..R1(config-if)#no ip next-hop-self ?.. eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)..R1(config-if)#no ip next-hop-self eigrp 1..R2测试;..R2#traceroute 5.5.5.5..Type escape sequence to abort...Tracing the route to 5.5.5.5.. 1 123.123.123.1 512 msec * 500 msec.. 2 15.15.15.5 788 msec 900 msec 652 msec..R2#show ip route eigrp.. 3.0.0.0/24 is subnetted, 1 subnets..D 3.3.3.0 [90/28288000] via 123.123.123.3, 00:17:19, Tunnel2.. 5.0.0.0/24 is subnetted, 1 subnets..D 5.5.5.0 [90/15490560] via 123.123.123.1, 00:17:09, Tunnel2.. 15.0.0.0/24 is subnetted, 1 subnets..D 15.15.15.0 [90/15362560] via 123.123.123.1, 00:17:09, Tunnel2..R2#..R2#show ip nhrp..123.123.123.1/32 via 123.123.123.1, Tunnel2 created 00:43:25, never expire.. Type: static, Flags: nat used.. NBMA address: 16.16.16.1..R2#..R2测不出来到R3的连接..R3测试:..R3#traceroute 5.5.5.5..Type escape sequence to abort...Tracing the route to 5.5.5.5.. 1 123.123.123.1 580 msec 616 msec 532 msec.. 2 15.15.15.5 888 msec 732 msec 824 msec..R3#show ip rout eigrp.. 2.0.0.0/24 is subnetted, 1 subnets..D 2.2.2.0 [90/28288000] via 123.123.123.2, 00:18:56, Tunnel3.. 5.0.0.0/24 is subnetted, 1 subnets..D 5.5.5.0 [90/15490560] via 123.123.123.1, 00:19:07, Tunnel3.. 15.0.0.0/24 is subnetted, 1 subnets..D 15.15.15.0 [90/15362560] via 123.123.123.1, 00:19:07, Tunnel3..R3#show ip nhrp..123.123.123.1/32 via 123.123.123.1, Tunnel3 created 01:36:10, never expire.. Type: static, Flags: nat used.. NBMA address: 16.16.16.1..123.123.123.2/32 via 123.123.123.2, Tunnel3 created 00:17:06, expire 01:55:10.. Type: dynamic, Flags: router nat implicit.. NBMA address: 26.26.26.1..R3#show ip nhrp brief.. Target Via NBMA Mode Intfc Claimed..123.123.123.1/32 123.123.123.1 16.16.16.1 static Tu3 < >..123.123.123.2/32 123.123.123.2 26.26.26.1 dynamic Tu3 < >..R3#..R3上却能查看到R2的连接。..这个结果很郁闷。。。。希望高手指点。..R2#ping 3.3.3.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R3#ping 2.2.2.2..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R3#traceroute 2.2.2.2..Type escape sequence to abort...Tracing the route to 2.2.2.2.. 1 * * *.. 2 * * *.. 3 * * *.. 4 * * *.. 5 * * *.. 6 * * *.. 7 * * *.. 8 * * *.. 9 * * *.. 10 * * *.. 11 * * *.. 12 * * *.. 13 * * *.. 14 * * *.. 15 * * *.. 16 * * *.. 17 * * *.. 18 * * *.. 19 * * *.. 20 * * *.. 21 * * *.. 22 * * *.. 23 * * *.. 24 * * *.. 25 * * *.. 26 * * *.. 27 * * *.. 28 * * *.. 29 * * *.. 30 * * *..三、测试DM×××中的OSPF:..在所有路由器上将EIGRP改为OSPF..R5(config)#no router eigrp 1..*Nov 1 22:14:04.519: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 15.15.15.1 (FastEthernet0/0) is down: interface down..R5(config)#router ospf 1..R5(config-router)#net 5.5.5.5 0.0.0.0 area 0..R5(config-router)#net 15.15.15.0 0.0.0.255 area 0..R5(config-router)#ex..R1(config)#no router eigrp 1..*Nov 1 22:16:04.383: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.2 (Tunnel1) is down: interface down..*Nov 1 22:16:04.399: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 123.123.123.3 (Tunnel1) is down: interface down..R1(config)#router ospf 1..R1(config-router)#net 16.16.16.0 0.0.0.255 area 0..R1(config-router)#net 15.15.15.0 0.0.0.255 area 0..R1(config-router)#net 123.123.123.0 0.0.0.255 area 0..R2(config)#no router eigrp 1..R2(config)#router ospf 1..R2(config-router)#net 2.2.2.2 0.0.0.0 area 0..R2(config-router)#net 123.123.123.0 0.0.0.255 area 0..R2(config-router)#ex..R3(config)#no router eigrp 1..R3(config)#router ospf 1..R3(config-router)#net 3.3.3.3 0.0.0.0 area 0..R3(config-router)#net 123.123.123.0 0.0.0.255 area 0..结果OSPF令居up and down :..R1(config-router)#..*Nov 1 22:18:51.923: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done..R1(config-router)#..*Nov 1 22:19:35.071: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired..R1(config-router)#..*Nov 1 22:19:48.391: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed.. connection id=3, sequence number=8504..*Nov 1 22:19:48.587: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3..R1(config-router)#..*Nov 1 22:19:55.363: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done..R1(config-router)#..*Nov 1 22:20:01.783: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset..R1(config-router)#..*Nov 1 22:20:05.415: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done..R1(config-router)#..*Nov 1 22:20:23.315: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset..R1(config-router)#..*Nov 1 22:20:26.119: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done..R1(config-router)#..*Nov 1 22:20:31.655: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset..R1(config-router)#..*Nov 1 22:20:34.219: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done..R1(config-router)#..*Nov 1 22:20:48.407: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed.. connection id=3, sequence number=13476..*Nov 1 22:20:49.107: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3..R1(config-router)#..*Nov 1 22:21:07.419: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset..R1(config-router)#..*Nov 1 22:21:10.543: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done..这是因为OSPF默认把mGRE接口定义为point-to-point类型。..需要在所有路由器mGRE接口上把网络类型改为point-to-multipoint :..R1(config)#int tunnel 1..R1(config-if)#ip ospf network point-to-multipoint..R2(config)#int tunnel 2..R2(config-if)#ip ospf net point-to-multipoint..R3(config)#int tunnel 3..R3(config-if)#ip ospf network point-to-multipoint..结果不理想:..R3#..*Nov 1 22:33:27.695: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done..R3#..R3#..*Nov 1 22:35:59.115: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done..R3#..*Nov 1 22:38:46.499: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done..R3#ping 5.5.5.5..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R3#..R3#traceroute 2.2.2.2..Type escape sequence to abort...Tracing the route to 2.2.2.2.. 1 36.36.36.6 288 msec 300 msec 196 msec.. 2 36.36.36.6 !H * !H..R3#..*Nov 1 22:41:44.091: %OSPF-5-ADJCHG: Process 1, Nbr 123.123.123.1 on Tunnel3 from LOADING to FULL, Loading Done..R3#..R2#traceroute 3.3.3.3..Type escape sequence to abort...Tracing the route to 3.3.3.3.. 1 26.26.26.6 252 msec 192 msec 328 msec.. 2 26.26.26.6 !H * !H..R2#..R2#traceroute 5.5.5.5..Type escape sequence to abort...Tracing the route to 5.5.5.5.. 1 26.26.26.6 188 msec 192 msec 192 msec.. 2 26.26.26.6 !H * *..R2#..R2#ping 5.5.5.5..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R2#..R1#..*Nov 1 22:47:53.507: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from LOADING to FULL, Loading Done..*Nov 1 22:49:26.363: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired..R1#ping 3.3.3.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R1#..可知:OSPF下无法实现spoke to spoke tunnel的通信方式。..至于R1和R2、R3之间的OSPF通信问题。有待深究,难道是OSPF口令配置不当???...
广告