一、实验目的
在多点GRE over IPsecVPN模式下对nhrp进行调优,在总部开启重定向、在分支开启shortcut
网络拓扑:
二、基础设置
(一)如图所示配置接口地址和区域,连接PC的接口位于trust区域、连接路由器的接口位于untrue区域、虚拟接口位于DMZ区域(此处省略......)
(二)安全策略配置
security-policy
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 500
action permit
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
(三)将tunnel接口设置为gre p2mp模式(此处省略......)
(四)在tunnel接口下将ospf网络类型设置为broadcast模式,并设置FW1为根节点(此处省略......)
(五)配置IPsecVPN,其中Ike peer的对端为ALL模式,IPsec的策略使用profile方式设置(此处省略......)
(六)nhrp设置为多点自动解析和注册模式
总部: nhrp entry multicast dynamic
分支:nhrp entry 10.1.0.12 155.1.121.12 register
三、详细设置
在总部和分支分别修改nhrp的模式为shortcut方式
总部:
[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type broadcast
service-manage ping permit
nhrp redirect
nhrp entry multicast dynamic
ipsec profile DM_PRO
#
分支:
2024-07-09 03:17:18.580
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type broadcast
ospf dr-priority 0
service-manage ping permit
nhrp shortcut
nhrp entry 10.1.0.12 155.1.121.12 register
ipsec profile DM_PRO
四、结果验证
(一)HNRP非shortcut模式下的情况:
1、初始状态
<FW2>dis ike sa
--------------------------------------------------------------------------------
----------------------------------------------------
5 155.1.121.12:500 RD|ST
|A v2:2 IP 155.1.121.12
4 155.1.121.12:500 RD|ST
|A v2:1 IP 155.1.121.12
Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------
<FW2>dis nhrp peer all
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.12 32 155.1.121.12 10.1.0.12 hub up
--------------------------------------------------------------------------------
2、通过pc2 ping通 pc4后,增加了目标的虚拟口地址和公网地址的映射
<FW2>dis ike sa
--------------------------------------------------------------------------------
----------------------------------------------------
7 155.1.141.254:500 RD|A
v2:2 IP 155.1.141.254
6 155.1.141.254:500 RD|A
v2:1 IP 155.1.141.254
5 155.1.121.12:500 RD|ST
|A v2:2 IP 155.1.121.12
4 155.1.121.12:500 RD|ST
|A v2:1 IP 155.1.121.12
Number of IKE SA : 4
--------------------------------------------------------------------------------
----------------------------------------------------
<FW2>dis nhrp peer all
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.12 32 155.1.121.12 10.1.0.12 hub up
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
10.1.0.14 32 155.1.141.254 10.1.0.14 remote up
--------------------------------------------------------------------------------
(二)在配置nhrp shortcut后,多了目标的内网地址和公网地址的映射
[FW2-Tunnel0]dis nhrp peer all
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.12 32 155.1.121.12 10.1.0.12 hub up
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.14.10 32 155.1.141.254 10.1.0.14 remote-network up
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.14 32 155.1.141.254 10.1.0.14 remote up
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.13.10 32 155.1.131.254 10.1.0.13 local up
--------------------------------------------------------------------------------
路由表也进行了调整
[FW2]dis ip routing-table protocol ospf
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.12.0/24 OSPF 10 1563 D 10.1.0.12 Tunnel0
10.1.14.0/24 OSPF 10 1563 D 10.1.0.14 Tunnel0
