HCIEv3.0
1.基础概念
即动态智能×××,是指在Hub-Spoke网络模型中,分支与总部、分支与分支间动态建立×××的一种技术。
为了充分利用公共网络资源,降低网络构建成本,越来越多的企业希望通过公共网络将总部机构(Hub)与地理位置不同的多个分支机构(Spoke)相连,并在分支机构与总部机构间、分支机构与分支机构间建立×××。
在Hub-Spoke网络中,总部与分支间建立Hub-Spoke隧道,分支到分支的数据流经由总部传输。按图1进行网络规划和部署后,会带来如下问题:
当新接入一个分支之后,总部Hub需要针对其进行×××配置和维护。在大量分支接入时,总部Hub的配置会变得非常复杂,而且每次网络调整时,都需要调整总部的配置。
如果分支间通信经过总部中转,这些数据流会使用总部资源且导致额外延迟(特别是采用IPSec加密时),因为总部需要对来自源分支的数据包进行解密再加密,以将其发送到目的分支。
如果分支之间不通过总部中转而直接进行通信,此时如果分支出口采用的是动态地址,则分支之间无法事先获知对端的地址,因此无法在分支之间直接建立隧道。
DS×××通过NHRP(Next Hop Resolution Protocol)收集、维护各站点动态变化的公网地址等信息,解决了无法事先获得通信对端公网地址的问题
DS×××节点
DS×××节点为部署DS×××的设备,包括Spoke和Hub两种形态。
Spoke
Spoke通常是企业分支机构的网关设备。一般情况下,Spoke使用动态的公网地址。
Hub
Hub通常是企业总部,是DS×××网络的中心设备,接收Spoke向其注册的信息。DS×××网络中,Hub既可使用固定的公网地址,也可使用域名。
2.实施组件
1.MGRE(Multipoint GRE),多点GRE。
2.NHRP协议(Next Hop Resolution Protocol ),下一跳地址解析协议。
3.路由协议
4.可选的IPSec封装,实现数据的安全传输。
注意DS×××使用限制
DS×××网络中只支持两种路由协议:静态路由和OSPF路由协议。(已经支持BGP和RIP协议)
DS×××特性不支持虚拟系统
mGRE和mGRE隧道接口
mGRE是在GRE基础上发展而来的一种点到多点GRE技术。mGRE隧道接口是为实现DS×××而提供的一种点到多点类型的逻辑接口。
mGRE隧道接口包含以下元素:
隧道源地址:报文传输协议中的源地址。隧道源地址就是GRE封装后的报文源地址,即图1中的公网地址(NBMA地址)。
隧道目的地址:报文传输协议中的目的地址。隧道目的地址就是GRE封装后的报文目的地址。
隧道接口IP地址:隧道接口地址和其他物理接口上的IP地址一样,用于设备之间的通信(例如获取路由信息等),即图中的Tunnel地址(Protocol地址)
3.实施拓扑
4.实施步骤
4.1 前提:解决公网地址(NBMA地址)的路由问题,现网中,NBMA地址的可达性大部分时候由运营商来负责
<R1-HUB>dis ip rou pro static
Route Flags: R - relay, D - download to fib
Public routing table : Static
Destinations : 1 Routes : 1 Configured Routes : 1
Static routing table status : <Active>
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.10.1.2 GigabitEthernet0/0/0Static routing table status : <Inactive>
Destinations : 0 Routes : 0
<R1-HUB>
<R1-HUB>
<R1-HUB>ping 202.100.1.1
PING 202.100.1.1: 56 data bytes, press CTRL_C to break
Reply from 202.100.1.1: bytes=56 Sequence=1 ttl=254 time=590 ms
Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=254 time=240 ms
Reply from 202.100.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 202.100.1.1: bytes=56 Sequence=4 ttl=254 time=70 ms
Reply from 202.100.1.1: bytes=56 Sequence=5 ttl=254 time=40 ms
--- 202.100.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/208/590 ms
<R1-HUB>ping 202.100.1.2
PING 202.100.1.2: 56 data bytes, press CTRL_C to break
Reply from 202.100.1.2: bytes=56 Sequence=1 ttl=254 time=230 ms
Reply from 202.100.1.2: bytes=56 Sequence=2 ttl=254 time=100 ms
Reply from 202.100.1.2: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 202.100.1.2: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 202.100.1.2: bytes=56 Sequence=5 ttl=254 time=40 ms
<R2-Spoke1>dis cu | i ip route-s
ip route-static 0.0.0.0 0.0.0.0 202.100.1.254
<R3-Spoke2>dis cu | i ip route
ip route-static 0.0.0.0 0.0.0.0 202.100.1.254
<R1-HUB>dis cu | i ip route-s
ip route-static 0.0.0.0 0.0.0.0 202.10.1.24.2 组件1.多点GRE隧道
仅仅有源地址,没有目标地址
两种隧道:静态隧道和动态隧道
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
[R2-Spoke1-Tunnel0/0/0]dis th
[V200R003C00]
#
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
[R3-Spoke2-Tunnel0/0/0]dis th
[V200R003C00]
#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0隧道是一个逻辑接口,没有MAC地址,意味着没有arp解析,同时又不是点到点的网络,那数据怎么完成封装呢?
4.3 组件2 NHRP(下一跳解析协议)
可以借助前边的公网地址使得死亡完成通信
把私网地址(172.16.1.2)解析成公网可达地址(202.100.1.2)
NHRP的动态(分支到分支间的临时映射)和静态(总部到分支的固定映射)对等体
[R1-HUB-Tunnel0/0/0]nhrp entry multicast dynamic
[R2-Spoke1-Tunnel0/0/0]nhrp entry 172.16.1.1 202.10.1.1 register
[R3-Spoke2-Tunnel0/0/0]nhrp entry 172.16.1.1 202.10.1.1 register //把私网地址手工映射为公网地址,即NBMA地址
[R1-HUB-Tunnel0/0/0]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.16.1.2 32 202.100.1.1 172.16.1.2 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:02:33
Expire time : 01:57:27
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.16.1.3 32 202.100.1.2 172.16.1.3 dynamic route tunnel
-------------------------------------------------------------------------------
[R2-Spoke1-Tunnel0/0/0]disp nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.16.1.1 32 202.10.1.1 172.16.1.1 static hub
-------------------------------------------------------------------------------
[R3-Spoke2-Tunnel0/0/0]disp nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.16.1.1 32 202.10.1.1 172.16.1.1 static hub
------------------------------------------------------------------------------- 直连通信:
[R1-HUB-Tunnel0/0/0]ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=140 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=90 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=100 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=80 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/94/140 ms
[R1-HUB-Tunnel0/0/0]ping 172.16.1.3
PING 172.16.1.3: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.3: bytes=56 Sequence=1 ttl=255 time=140 ms
Reply from 172.16.1.3: bytes=56 Sequence=2 ttl=255 time=60 ms
Reply from 172.16.1.3: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 172.16.1.3: bytes=56 Sequence=4 ttl=255 time=70 ms
Reply from 172.16.1.3: bytes=56 Sequence=5 ttl=255 time=130 ms
4.4 组件3.动态路由协议需要调整
OSPF案例
[R1-HUB-Tunnel0/0/0]dis cu conf ospf
[V200R003C00]
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
[R1-HUB-ospf-1-area-0.0.0.0]int lo0
[R1-HUB-LoopBack0]description YEWU
[R1-HUB-LoopBack0]ip address 10.1.1.1 32
[R1-HUB-LoopBack0]ospf en a 0
[R1-HUB-LoopBack0]int tun 0/0/0
[R1-HUB-Tunnel0/0/0]ospf en a 0
0 不能
1 能
此时网络中有3台设备,必须是一个多点接入网络,可是OSPF网络类型是点到点(p2p不适合这个多点接入网络)
广播方式:
[R1-HUB-Tunnel0/0/0]ospf network-type broadcast
[R2-Spoke1-Tunnel0/0/0]ospf dr-priority 0
[R2-Spoke1-Tunnel0/0/0]ospf network-type broadcast
[R3-Spoke2-Tunnel0/0/0]ospf dr-priority 0
[R3-Spoke2-Tunnel0/0/0]ospf network-type broadcast[R1-HUB]dis ospf peer brief //分支仅仅和总部有邻居关系,分支间是不存在路由协议的邻居关系
OSPF Process 1 with Router ID 1.1.1.1
Peer Statistic InformationArea Id Interface Neighbor id State
0.0.0.0 Tunnel0/0/0 2.2.2.2 Full
0.0.0.0 Tunnel0/0/0 3.3.3.3 Full
[R1-HUB]dis ospf int tun 0/0/0
OSPF Process 1 with Router ID 1.1.1.1
Interfaces Interface: 172.16.1.1 (Tunnel0/0/0)
Cost: 1562 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 172.16.1.1
Backup Designated Router: 0.0.0.0
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
[R2-Spoke1]dis ip rou pro ospf
Route Flags: R - relay, D - download to fib
Public routing table : OSPF
Destinations : 2 Routes : 2
OSPF routing table status : <Active>
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 OSPF 10 1562 D 172.16.1.1 Tunnel0/0/0
10.1.1.3/32 OSPF 10 1562 D 172.16.1.3 Tunnel0/0/0 //这是OSPF广播类型的特点,问题在于必须存在到172.16.1.3的NHRP映射,NHRP可以完成动态映射的,参考下面表象[R2-Spoke1]dis nhrp peer all
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
16.1.1 32 202.10.1.1 172.16.1.1 static hub
Tunnel interface: Tunnel0/0/0
Created time : 00:21:37
Expire time : --
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
172.16.1.3 32 202.100.1.2 172.16.1.3 dynamic route tunnel
DS×××环境下实施RIP
rip 1
version 2
network 172.16.0.0
network 10.0.0.0
[R1-HUB-rip-1]dis rip 1 neighbor
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
172.16.1.2 Tunnel0/0/0 RIP 0:0:17
Number of RIP routes : 1
172.16.1.3 Tunnel0/0/0 RIP 0:0:15
Number of RIP routes : 1
[R1-HUB-rip-1]dis ip rou protocol rip //总部完整无缺
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 2 Routes : 2
RIP routing table status : <Active>
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.2/32 RIP 100 1 D 172.16.1.2 Tunnel0/0/0
10.1.1.3/32 RIP 100 1 D 172.16.1.3 Tunnel0/0/0
[R3-Spoke2-rip-1]dis ip rou pro rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 1 Routes : 1
RIP routing table status : <Active>
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 RIP 100 1 D 172.16.1.1 Tunnel0/0/0
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
[R2-Spoke1-rip-1]dis ip rou pro rip
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : RIP
Destinations : 1 Routes : 1
RIP routing table status : <Active>
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 RIP 100 1 D 172.16.1.1 Tunnel0/0/0
解决方案:
关闭HUB的隧道的RIP的水平分割
**[R1-HUB-Tunnel0/0/0]undo rip split-horizon** [R2-Spoke1]dis ip routing-table protocol rip
Route Flags: R - relay, D - download to fib
Public routing table : RIP
Destinations : 2 Routes : 2
RIP routing table status : <Active>
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.0.0/8 RIP 100 1 D 172.16.1.1 Tunnel0/0/0
172.16.0.0/16 RIP 100 1 D 172.16.1.1 Tunnel0/0/04.1 采用SHORTCUT方式实施大型的DS×××
改进主要有2点:1 NHRP解析 2 路由可以实施汇总
最适合NBMA的OSPF网络类型是P2MP
ospf network-type p2mp
[R2-Spoke1]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
Public routing table : OSPF
Destinations : 4 Routes : 4
OSPF routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 OSPF 10 1562 D 172.16.1.1 Tunnel0/0/0
10.1.1.3/32 OSPF 10 3124 D 172.16.1.1 Tunnel0/0/0 //分支到其他分支路由的下一跳是总部
172.16.1.1/32 OSPF 10 1562 D 172.16.1.1 Tunnel0/0/0
172.16.1.3/32 OSPF 10 3124 D 172.16.1.1 Tunnel0/0/0 [R1-HUB-Tunnel0/0/0]nhrp redirect
[R2-Spoke1-Tunnel0/0/0]nhrp shortcut
[R3-Spoke2-Tunnel0/0/0]nhrp shortcut
[R3-Spoke2]dis nhrp peer all
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
1.2 32 202.100.1.1 172.16.1.2 dynamic route network //去往目标地址直接映射到NBMA地址
4.5 组件4.IPSEC保护隧道
不需要指定remote peer,另外一点策略汇总会采用IPSEC profile(模版)
三台设备配置相同
ipsec proposal QYT
#
ike proposal 1
#
ike peer DS××× v1
pre-shared-key simple qytang
ike-proposal 1
#
ipsec profile DS×××
ike-peer DS×××
proposal QYT
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
ipsec profile DS××× //接口调用策略<R2-Spoke1>ping 3.3.3.3
PING 3.3.3.3: 56 data bytes, press CTRL_C to break
Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 3.3.3.3: bytes=56 Sequence=5 ttl=255 time=70 ms
--- 3.3.3.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/56/70 ms
<R2-Spoke1>ping 10.1.1.1 //数据可以正常通过加密处理
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=140 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=300 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/122/300 ms
HCNP
<R1-HUB>dis ipsec sa brief
Number of SAs:4
Src address Dst address SPI ××× Protocol Algorithm
202.100.1.1 202.10.1.1 3838815387 0 ESP E:DES A:MD5-96
202.100.1.2 202.10.1.1 2091020973 0 ESP E:DES A:MD5-96
202.10.1.1 202.100.1.1 2870251216 0 ESP E:DES A:MD5-96
202.10.1.1 202.100.1.2 1159615265 0 ESP E:DES A:MD5-96<R1-HUB>dis ike sa
Conn-ID Peer ××× Flag(s) Phase
4 202.100.1.2 0 RD 2
3 202.100.1.2 0 RD 1
2 202.100.1.1 0 RD 2
1 202.100.1.1 0 RD 1 乾颐堂安德HCIEv3.0 作业:完成shortcut方式的DS×××
原文地址:http://blog.51cto.com/enderjoe/2164106