-Next-Hop Resolution Protocol (NHRP)
-Dynamic IPsec Encryption
-Routing Protocols
-Cisco Express Forwarding (CEF)
DMVPN Faz 1’de spoke’ların tüm rotaları hub üzerinde bildiğini ve tüm trafiğin hub üzerinden geçtiğini, Faz 2’de ise tüm spoke’ların tüm rotaları bildiğini ve spoke’ların birbirleriyle doğrudan haberleşebildiğini söylemiştim. Faz 2’nin avantajı ortada; trafik hub’ın bant genişliğini harcamaz ve gecikme daha küçük tutulur. Faz1’de ise genellikle özetleme yapıldığı için spoke’ların routing table’larının küçük olması gibi bir avantaj var. Faz 3’te bu iki avantaj bir araya getirilmeye çalışılır: Tüm rotalar yine merkezde bilinir ama trafik doğrudan spoke’lar arasında akar.
Split horizon : If there is any change in the network, to provide to publish the information all interface expect where it learned.
GRE MULTIPOINT
R17
interface Tunnel0
ip vrf forwarding CORP
ip address 10.100.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp redirect
tunnel source e0/0
tunnel mode gre multipoint
R19
interface Tunnel0
ip vrf forwarding CORP
ip address 10.100.0.19 255.255.255.0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp network-id 12345
ip nhrp shortcut
ip nhrp nhs 10.100.0.1
tunnel source Dialer1
tunnel mode gre multipoint
R20
interface Tunnel0
ip vrf forwarding CORP
ip address 10.100.0.20 255.255.255.0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp network-id 12345
ip nhrp nhs 10.100.0.1
ip nhrp shortcut
tunnel source Dialer1
tunnel mode gre multipoint
R21
interface Tunnel0
ip vrf forwarding CORP
ip address 10.100.0.21 255.255.255.0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp network-id 12345
ip nhrp nhs 10.100.0.1
ip nhrp shortcut
tunnel source Dialer1
tunnel mode gre multipoint
PHASE 1:
HUB;
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
no ip split-horizon
ip nhrp authentication 123 (password)
ip nhrp map multicast dynamic
ip nhrp holdtime 600 (Default 2 hours)
ip nhrp network-id 1
tunnel source 1.1.1.1
tunnel mode gre multipoint
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
SPOKE_1;
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
ip nhrp map 192.168.1.1 1.1.1.1 (we know public address so we convert tunnel address to public ip)
ip nhrp map multicast 1.1.1.1 (send multicast message to this address)
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1 (this is the server tunnel ip address)
ip nhrp holdtime 600
ip nhrp registration timeout 100 (we sent tunnel and public address to server per 100 seconds)
tunnel source 1.1.1.2
tunnel destination 1.1.1.1 (You must go there)
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
router rip
version 2
network 10.0.1.0
network 192.168.1.0
no auto-summary
interface Loopback0
ip address 10.0.2.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp holdtime 600
ip nhrp registration timeout 100
tunnel source 1.1.1.3
tunnel destination 1.1.1.1 (You must go there)
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.0
router rip
version 2
network 10.0.2.0
network 192.168.1.0
no auto-summary
version 2
network 10.0.2.0
network 192.168.1.0
no auto-summary
that is it :) we will delete rip configuration for eigrp no router rip.
EIGRP.
HUB;
interface Tunnel0
bandwidth 10000
EIGRP.
HUB;
interface Tunnel0
bandwidth 10000
no ip split-horizon eigrp 10
router eigrp 10
network 10.0.0.0
network 192.168.1.0
no auto-summary
SPOKE_1
interface Tunnel0
bandwidth 10000
bandwidth 10000
router eigrp 10
network 10.0.1.0
network 192.168.1.0
no auto-summary
OSPF
HUB;
interface Tunnel0
ip ospf network point-to-multipoint
router ospf 10
network 10.0.0.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
SPOKE_1
interface Tunnel0
ip ospf network point-to-multipoint
router ospf 10
network 10.0.1.1 0.0.0.0 area 0
network 192.168.1.2 0.0.0.0 area 0
SPOKE_2
interface Tunnel0
ip ospf network point-to-multipoint
router ospf 10
network 10.0.2.1 0.0.0.0 area 0
network 192.168.1.3 0.0.0.0 area 0
PHASE 2:
You dont occur traffic on Hub. It ıs not necessary to go to Hub for packet forwarding.
Peki Faz 1 ile Faz 2 arasındaki fark ne? İki faz arasındaki fark aslında DMVPN yapısından değil bu yapı üzerinde çalışan dinamik yönlendirme protokollerinin çalışma mantığının farklı olmasından kaynaklanmaktadır. Faz 1’de yönlendirme tasarımını tüm trafik merkez üzerinden dönecek şekilde yapmak gerekiyordu. Faz 2‘de ise herkes birbiriyle doğrudan haberleşebilecek şekilde yapmak gerekiyor.
HUB;interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface Tunnel0ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip nhrp authentication 123 (Password)
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
tunnel source 1.1.1.1
tunnel mode gre multipoint
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface Tunnel0ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel source 1.1.1.2
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1 (we know public address so we convert tunnel address to public ip)
ip nhrp map multicast 1.1.1.1 (send multicast message to this address)
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1 (this is the server tunnel ip address)
ip nhrp registration timeout 100 (we sent tunnel and public address to server per 100 seconds)
router rip
version 2
network 10.0.1.0
network 192.168.1.0
no auto-summary
interface Loopback0
ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.0
no shut
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp registration timeout 100
tunnel source 1.1.1.3
router rip
version 2
network 10.0.2.0
network 192.168.1.0
no auto-summary
EIGRP;
Dolayısıyla DMVPN faz 2’yi yönlendirme protokolü bazlı incelemekte fayda var. EGIRP ile başlayalım:
Hatırlarsak ip nhrp map multicast 20.0.0.1 komutu ile spoke’ların tüm multicast trafiğini hub’a yönlendirmesini sağlamıştık. Spoke’lar arasında bir multicast trafiği gidip gelmediğinden birbirlerine komşu olamazlar. Peki birbirleriyle EIGRP komşuluğu olmayan iki router’ın doğrudan haberleşmesini nasıl sağlayacağız?
Bunun çözümü EIGRP’nin çalışma mantığını biraz değiştirmekten geçiyor. Hub’da tunnel interface altına yazacağımız no ip next-hop-self eigrp 10 komutu sayesinde hub’ın bir spoke’tan aldığı routing update’i diğer bir spoke’a gönderirken o rota(lar) için next hop’u değiştirmemesini sağlayacağız. Yani 20.0.0.3’ten 10.0.3.0/24 için gönderilen update hub (20.0.0.1) üzerinden 20.0.0.2’ye gönderildiğinde, 20.0.0.2 router’ı 10.0.3.0/24’ü hub’ın değil 20.0.0.3’ün arkasında görecek.
HUB;
interface Tunnel0
no ip split-horizon eigrp 10
no ip next-hop-self eigrp 10
bandwith 1000
router eigrp 10
network 10.0.0.0
network 192.168.1.0
no auto-summary
SPOKE_1
SPOKE_1
bandwith 1000
router eigrp 10
network 10.0.1.0
network 192.168.1.0
no auto-summary
OSPF
Gelelim OSPF’e. OSPF bir link-state protokolü olarak aslında tüm router’ların tüm topolojiyi bilmesi mantığındadır. Fakat Faz 1’de OSPF’i point-to-multipoint network-type’ta çalıştırarak sanki gerçekten bir hub&spoke topolojiymiş gibi çalışmasını sağlamıştık. Böylece spoke’lar tüm rotaları hub’ın üzerindeymiş gibi öğrenebilmişti. Faz 2’de ise OSPF’i gerçek doğasına geri döndürüyoruz diyebiliriz. Tüm router’larda tunnel interface altında ip ospf network broadcast komutunu girerek sanki bir broadcast network’teymiş gibi tüm router’ların tüm rotaları gerçek next-hop adresleriyle öğrenmesini sağlıyoruz.
Faz 2’de OSPF kullanırken dikkat edilmesi gereken bazı noktalar var. Birinicisi broadcast network’te DR ve BDR seçimi olur ve tüm komşuluklar hub ile kurulduğu için hub’ın mutlaka DR olması gerekir. Bunu hub’da tunnel interface altında ip ospf priority 255 komutuyla en yüksek öncelik değerini vererek sağlayabiliriz. Spoke’larda ise ip ospf priority 0 komutuyla router’ın asla DR veya BDR olmamasını sağlayabiliriz.Yedek bir hub’ımız varsa bu hub’ın da BDR olmasını isteriz ve ip ospf priority 254 komutuyla bunu yapabiliriz. Burda aynı zamanda OSPF’in DMVPN Faz 2 topolojilerindeki bir kısıtlamasıyla karşılaşıyoruz: Çok büyük topolojiler söz konusu olduğunda ve yedeklilik amaçlı 3 veya daha fazla hub istendiğinde OSPF’le bu mümkün olmuyor çünkü üçüncü hub DR veya BDR olamadığı için ölçeklenebilir bir yapı elde edilemiyor. Bunun yerine EIGRP kullanılması çoğu zaman tercih ediliyor.
HUB;
interface Tunnel0
ip ospf priority 255
ip ospf priority 255
ip ospf network broadcast
router ospf 10
router-id 0.0.0.11
router-id 0.0.0.11
network 10.0.0.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
SPOKE_1
interface Tunnel0
ip ospf priority 0
ip ospf priority 0
ip ospf network broadcast
router ospf 10
router-id 0.0.0.9
router-id 0.0.0.9
network 10.0.1.1 0.0.0.0 area 0
network 192.168.1.2 0.0.0.0 area 0
SPOKE_2
interface Tunnel0
ip ospf priority 0
ip ospf priority 0
ip ospf network broadcast
router ospf 10
router-id 0.0.0.10
router-id 0.0.0.10
network 10.0.2.1 0.0.0.0 area 0
network 192.168.1.3 0.0.0.0 area 0
PHASE 3:
PHASE 3:
ip nhrp redirect sadece v3 hub'a yazılır.
eigrp icin faz ikide bunlar olurken;
no ip split-horizon eigrp 10
no ip next-hop-self eigrp 10
faz 2 de sadece
no ip split-horizon eigrp 10
yazılır.
HUB;
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface Tunnel0!
ip address 192.168.1.1 255.255.255.0
no ip split-horizon eigrp 10
ip mtu 1400
ip nhrp authentication 123 (Password)
ip nhrp map multicast dynamic
ip nhrp holdtime 600
ip nhrp network-id 1
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp redirect (if you find any shortway , you can change it)
!
ip prefix-list ali permit 0.0.0.0/0
!
router ripversion 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
default-information originate
distribute-list prefix ali out tunnel 0
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface Tunnel0ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel source 1.1.1.2
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1 (we know public address so we convert tunnel address to public ip)
ip nhrp map multicast 1.1.1.1 (send multicast message to this address)
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1 (this is the server tunnel ip address)
ip nhrp holdtime 600
ip nhrp registration timeout 100 (we sent tunnel and public address to server per 100 seconds)
ip nhrp shortcut (if you find any shortway , you can use it)
router rip
version 2
network 10.0.1.0
network 192.168.1.0
no auto-summary
interface Loopback0
ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.0
no shut
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp holdtime 600
ip nhrp registration timeout 100
tunnel source 1.1.1.3
ip nhrp shortcut (if you find any shortway , you can use it)
version 2
network 10.0.2.0
network 192.168.1.0
no auto-summary
EIGRP
HUB;
interface Tunnel0
no ip split-horizon eigrp 10
interface Tunnel0
no ip split-horizon eigrp 10
router eigrp 10
network 10.0.0.0
network 192.168.1.0
no auto-summary
SPOKE_1
SPOKE_1
router eigrp 10
network 10.0.1.0
network 192.168.1.0
no auto-summary
OSPF
HUB
IPSEC DMVPN;
HUB;OSPF
HUB
interface Tunnel0
ip ospf network point-to-multipoint
router ospf 10
router-id 0.0.0.11
router-id 0.0.0.11
network 10.0.0.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
interface Loopback0
ip ospf neig point-to-point
interface Loopback0
ip ospf neig point-to-point
SPOKE_1
interface Tunnel0
ip ospf network point-to-multipoint
router ospf 10
router-id 0.0.0.10
router-id 0.0.0.10
network 10.0.1.1 0.0.0.0 area 0
network 192.168.1.2 0.0.0.0 area 0
interface Loopback0
ip ospf neig point-to-point
IPSEC DMVPN;
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface Tunnel0!
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
no ip split-horizon eigrp 10
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp authentication 123 (Password)
ip nhrp map multicast dynamic
ip nhrp holdtime 600
ip nhrp redirect
!
router eigrp 1network 10.0.0.1
network 192.168.0.0
no auto-summary
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key 0 SIFRE address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
mode transport
!
crypto ipsec profile ALIprofile
set transform-set ALI
interface Tunnel0
tunnel protection ipsec profile ALIprofile
ip summary address eigrp 1 0.0.0.0 0.0.0.0
ip summary address eigrp 1 0.0.0.0 0.0.0.0
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface Tunnel0ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel source 1.1.1.2
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1 (we know public address so we convert tunnel address to public ip)
ip nhrp map multicast 1.1.1.1 (send multicast message to this address)
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1 (this is the server tunnel ip address)
ip nhrp holdtime 600
ip nhrp registration timeout 100 (we sent tunnel and public address to server per 100 seconds)
ip nhrp shortcut (if you find any shortway , you can use it)
router eigrp 1
network 10.0.1.0
network 192.168.1.0
no auto-summary
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key 0 SIFRE address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
mode transport
!
crypto ipsec profile ALIprofile
set transform-set ALI
interface Tunnel0
tunnel protection ipsec profile ALIprofile
interface Loopback0
ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.0
no shut
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp holdtime 600
ip nhrp registration timeout 100
tunnel source 1.1.1.3
ip nhrp shortcut (if you find any shortway , you can use it)
network 10.0.2.0
network 192.168.1.0
no auto-summary
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key 0 SIFRE address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
mode transport
!
crypto ipsec profile ALIprofile
set transform-set ALI
interface Tunnel0
tunnel protection ipsec profile ALIprofile
Hiç yorum yok:
Yorum Gönder