思科GRE multi-point（ NHRP ）模拟器实验

小乔

实验环境：
操作系统：Mac OS X 10.11.5 Beta 1（当时最新测试版），模拟器：GNS3 IOU for Mac 1.4.5（当时最新版本）
注：当然，只要有思科模拟器都可以做这个实验

实验需求：
IOU2 是互联网，在 IOU1 / 3 / 4 之间实现内网互访。

实验步骤：
以下表格中是基础配置：

IOU1 :
conf t

int l 0
ip add 1.1.1.1 255.255.255.255

int e 0/0
ip add 12.1.1.1 255.255.255.0
no sh

ip route 0.0.0.0 0.0.0.0 12.1.1.2

IOU2 :
conf t

int e 0/0
ip add 12.1.1.2 255.255.255.0
no sh

int e 0/1
ip add 23.1.1.2 255.255.255.0
no sh

int e 0/2
ip add 24.1.1.2 255.255.255.0
no sh

IOU3 :
conf t

int l 0
ip add 3.3.3.3 255.255.255.255

int e 0/1
ip add 23.1.1.3 255.255.255.0
no sh

ip route 0.0.0.0 0.0.0.0 23.1.1.2

IOU4 :
conf t

int l 0
ip add 4.4.4.4 255.255.255.255

int e 0/2
ip add 24.1.1.4 255.255.255.0
no sh

ip route 0.0.0.0 0.0.0.0 24.1.1.2

使用 NHRP 配置多点接入的 GRE ：

IOU1 ：
int tun 123
ip add 123.1.1.1 255.255.255.0
tun so e 0/0
tun mode gre mu
ip nhrp network-id 123

IOU3 ：
int tun 123
ip add 123.1.1.3 255.255.255.0
tun so e 0/1
tun mode gre mu
ip nhrp network-id 123
ip nhrp nhs 123.1.1.1
ip nhrp map 123.1.1.1 12.1.1.1

IOU4 ：
int tun 123
ip add 123.1.1.4 255.255.255.0
tun so e 0/2
tun mode gre mu
ip nhrp network-id 123
ip nhrp nhs 123.1.1.1
ip nhrp map 123.1.1.1 12.1.1.1

现在可以 ping 通 Tunnel 口了：

IOU1#p 123.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/6 ms

IOU1#p 123.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

IOU3#p 123.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/6 ms

IOU3#p 123.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
要想实现 IOU1 / 3 / 4 之间的内网互访，就需要在 IOU1 / 3 / 4 之间开启 IGP ，以 OSPF 和 EIGRP 为例：

1、在 IOU1 / 3 / 4 上通过 Tunnel 口开启 OSPF ：
如果运行的是 OSPF ，有三个点需要注意：

Tunnel 之间要配置成 OSPF broadcast 或 OSPF point-to-multipoint 链路；
IOU1 的 Tunnel 口要是 DR ；
如果出现 OSPF 抖动（邻居不断 up 和 down ），请 shutdown 掉全部的 Tunnel 口，然后按照 IOU1 → IOU3 → IOU4 的次序依次开启。
IOU1 ：
int tun 123
sh
ip nhrp map multicast dynamic
ip ospf network broadcast

router os 123
router-id 123.1.1.1

int r l 0 , tun 123
ip os 123 a 0

int tun 123
no sh

IOU3 ：
int tun 123
sh
ip nhrp map multicast 12.1.1.1
! 配置成 OSPF broadcast 链路
ip ospf network broadcast
! 优先级设置为零，不参与 OSPF DR 的选举
ip ospf priority 0

router os 123
router-id 123.3.3.3

int r l 0 , tun 123
ip os 123 a 0

int tun 123
no sh

IOU4 ：
int tun 123
sh
ip nhrp map multicast 12.1.1.1
! 配置成 OSPF broadcast 链路
ip ospf network broadcast
! 优先级设置为零，不参与 OSPF DR 的选举
ip ospf priority 0

router os 123
router-id 123.4.4.4

int r l 0 , tun 123
ip os 123 a 0

int tun 123
no sh

OSPF 测试：
IOU3#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
        ia - IS-IS inter area, * - candidate default, U - per-user static route
        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
        a - application route
        + - replicated route, % - next hop override

Gateway of last resort is 23.1.1.2 to network 0.0.0.0

       1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/1001] via 123.1.1.1, 00:03:06, Tunnel123
       4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/1001] via 123.1.1.4, 00:01:22, Tunnel123

IOU3#p 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

IOU3#p 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/6 ms
OSPF 小细节：
如果您在 Tunnel 上配置的是 OSPF point-to-multipoint 链路，那么路由表会产生 32 位的主机路由。（感谢微博网友 “ 不爽来咬我咯 ” 的分享）

如果在 IOU1 / 3 / 4 上的 Tunnel 口配置成 OSPF broadcast 链路：

IOU1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
        ia - IS-IS inter area, * - candidate default, U - per-user static route
        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
        a - application route
        + - replicated route, % - next hop override

Gateway of last resort is 12.1.1.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 12.1.1.2
       1.0.0.0/32 is subnetted, 1 subnets
C         1.1.1.1 is directly connected, Loopback0
       3.0.0.0/32 is subnetted, 1 subnets
O         3.3.3.3 [110/1001] via 123.1.1.3, 00:06:31, Tunnel123
       4.0.0.0/32 is subnetted, 1 subnets
O         4.4.4.4 [110/1001] via 123.1.1.4, 00:05:09, Tunnel123
       12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C         12.1.1.0/24 is directly connected, Ethernet0/0
L         12.1.1.1/32 is directly connected, Ethernet0/0
       123.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C         123.1.1.0/24 is directly connected, Tunnel123
L         123.1.1.1/32 is directly connected, Tunnel123
如果在 IOU1 / 3 / 4 上的 Tunnel 口配置成 OSPF point-to-multipoint 链路：

IOU1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
        ia - IS-IS inter area, * - candidate default, U - per-user static route
        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
        a - application route
        + - replicated route, % - next hop override

Gateway of last resort is 12.1.1.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 12.1.1.2
       1.0.0.0/32 is subnetted, 1 subnets
C         1.1.1.1 is directly connected, Loopback0
       3.0.0.0/32 is subnetted, 1 subnets
O         3.3.3.3 [110/1001] via 123.1.1.3, 00:27:04, Tunnel123
       4.0.0.0/32 is subnetted, 1 subnets
O         4.4.4.4 [110/1001] via 123.1.1.4, 00:26:54, Tunnel123
       12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C         12.1.1.0/24 is directly connected, Ethernet0/0
L         12.1.1.1/32 is directly connected, Ethernet0/0
       123.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C         123.1.1.0/24 is directly connected, Tunnel123
L         123.1.1.1/32 is directly connected, Tunnel123
O         123.1.1.3/32 [110/1000] via 123.1.1.3, 00:27:04, Tunnel123
O         123.1.1.4/32 [110/1000] via 123.1.1.4, 00:26:54, Tunnel123
2、在 IOU1 / 3 / 4 上通过 Tunnel 口开启 EIGRP ：
如果运行的是 EIGRP ，有三个点需要注意：

需要在 IOU1 的 Tunnel 接口下关闭 EIGRP 的水平分割，否则 IOU3 接收不到 IOU4 的路由，IOU4 也接收不到 IOU3 的路由；
需要在 IOU1 的 Tunnel 接口下关闭 EIGRP 的 next-hop-self ，否则 IOU3 去往 IOU4 的流量都要经过 IOU1 ，IOU4 去往 IOU3 的流量也要经过 IOU1 ；
如果出现 EIGRP 抖动（邻居不断 up 和 down ），请 shutdown 掉全部的 Tunnel 口，然后按照 IOU1 → IOU3 → IOU4 的次序依次开启。
IOU1 ：
int tun 123
sh
ip nhrp map multicast dynamic

router eigrp 123
no au
net 1.1.1.1 0.0.0.0
net 123.1.1.1 0.0.0.0

int tun 123
no ip split-horizon eigrp 123
no ip next-hop-self eigrp 123
no sh

IOU3 ：
int tun 123
sh
ip nhrp map multicast 12.1.1.1

router eigrp 123
no au
net 3.3.3.3 0.0.0.0
net 123.1.1.3 0.0.0.0

int tun 123
no sh

IOU4 ：
int tun 123
sh
ip nhrp map multicast 12.1.1.1

router eigrp 123
no au
net 4.4.4.4 0.0.0.0
net 123.1.1.4 0.0.0.0

int tun 123
no sh

EIGRP 测试：
IOU3#sh ip ro ei
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 23.1.1.2 to network 0.0.0.0

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/27008000] via 123.1.1.1, 00:00:56, Tunnel123
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/28288000] via 123.1.1.4, 00:00:54, Tunnel123

IOU3#p 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/6 ms

IOU3#p 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/10 ms



【实验】IPSec Tunnel SVTI（ IPSec over GRE ）
来源: 思科GRE模拟器实验
来源: 思科GRE over IPSec模拟器实验

welinker448