现任明教教主DM×××第二部分

安全CCIE战报：

最近一个半月内连续PASS八人，没有一人出现意外（考多少个过多少个）！可以说明版本和面试在Yeslab已经相当稳定，希望各位关注Yeslab安全CCIE的朋友，年后参加Yeslab的新年优惠活动加入我们的队伍！

教主最近TCP2011销售连接：

http://item.taobao.com/auction/item_detail.htm?item_num_id=9163575636

实验一:经典DM×××实验

第一部分:实验目标

配置经典DM×××

第二部分:实际接线状况

图7-5:经典DM×××实验实际接线图

第三部分:实验拓扑

图7-6: 经典DM×××实验拓扑（物理）

 

图7-7: 经典DM×××实验拓扑（逻辑）

 

拓扑介绍:本次实验主要目的是在三个站点间使用DM×××技术，建立站点到站点的IPSec ×××。202.100.1.0/24模拟互联网，中心站点IP地址为202.100.1.100，分支站点一IP地址为202.100.1.1，分支站点二位202.100.1.2。192.168.X.0/24分别模拟各站点内部网络，172.16.1.0/24为MGRE隧道网络。本次实验在MGRE网络运行的动态路由协议为EIGRP。

第四部分:基本网络配置

Hub基本网络配置

enable configure terminal ! hostname Hub ! interface Loopback0 ip address 192.168.100.1 255.255.255.0 ! interface FastEthernet0/0 ip address 202.100.1.100 255.255.255.0 no shutdown end

Spoke1基本网络配置

enable configure terminal ! hostname Spoke1 ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 202.100.1.1 255.255.255.0 no shutdown end

Spoke2基本网络配置

enable configure terminal ! hostname Spoke2 ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 ! interface FastEthernet0/0 ip address 202.100.1.2 255.255.255.0 no shutdown ! end

第五部分:MGRE与NHRP配置

Hub基本网络配置

-----------------------------MGRE配置----------------------------------- Hub(config)#interface tunnel 0 Hub(config-if)#ip address 172.16.1.100 255.255.255.0 Hub(config-if)#tunnel mode gre multipoint <配置隧道模式为多点GRE> Hub(config-if)#tunnel source fastEthernet 0/0 Hub(config-if)#tunnel key 12345 <配置隧道密钥为12345，用于简单密钥认证> -----------------------------NHRP配置----------------------------------- Hub(config-if)#ip nhrp network-id 10 <激活NHRP，所有站点的“network-id”建议相同。> Hub(config-if)#ip nhrp authentication cisco <可选配置: 激活NHRP认证，认证密码为cisco> Hub(config-if)#ip nhrp map multicast dynamic <动态接收NHRP的组播映射>

Spoke1基本网络配置

-----------------------------MGRE配置----------------------------------- Spoke1(config)#interface tunnel 0 Spoke1(config-if)#ip address 172.16.1.1 255.255.255.0 Spoke1(config-if)#tunnel mode gre multipoint Spoke1(config-if)#tunnel source fastEthernet 0/0 Spoke1(config-if)#tunnel key 12345 -----------------------------NHRP配置----------------------------------- Spoke1(config-if)#ip nhrp network-id 10 Spoke1(config-if)#ip nhrp authentication cisco Spoke1(config-if)#ip nhrp map 172.16.1.100 202.100.1.100 <手动NHRP影射，影射中心站点的隧道虚拟IP到中心站点的公网IP。有了这个影射，分支站点才能访问中心站点。> Spoke1(config-if)#ip nhrp map multicast 202.100.1.100 <MGRE是NBMA网络，分支站点要和中心站点建立动态路由协议的邻居关系，必须在每一个分支站点，影射组播到中心站点的公网IP。这样才能够把分支站点的组播送到中心站点。并且可以看到分支站点间没有组播映射，所以分支站点间没有动态路由协议的邻居关系。> Spoke1(config-if)#ip nhrp nhs 172.16.1.100 <NHS就是NHRP服务器，这个配置定义了NHRP服务器地址为中心站点的隧道接口虚拟地址172.16.1.100。>

Spoke2基本网络配置

-----------------------------MGRE配置----------------------------------- Spoke2(config)#interface tunnel 0 Spoke2(config-if)#ip address 172.16.1.2 255.255.255.0 Spoke2(config-if)#tunnel mode gre multipoint Spoke2(config-if)#tunnel source fastEthernet 0/0 Spoke2(config-if)#tunnel key 12345 -----------------------------NHRP配置----------------------------------- Spoke2(config-if)#ip nhrp network-id 10 Spoke2(config-if)#ip nhrp authentication cisco Spoke2(config-if)#ip nhrp map 172.16.1.100 202.100.1.100 Spoke2(config-if)#ip nhrp map multicast 202.100.1.100 Spoke2(config-if)#ip nhrp nhs 172.16.1.100

第六部分:测试 NHRP

Hub的NHRP注册信息

Hub#show ip nhrp

172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:26:49, expire 01:33:10

Type: dynamic, Flags: unique registered

<由于注册动态获取的映射信息>

NBMA address: 202.100.1.1

<映射Spoke1的虚拟IP地址172.16.1.1到公网IP地址202.100.1.1>

172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:04:44, expire 01:55:15

Type: dynamic, Flags: unique registered

NBMA address: 202.100.1.2

<映射Spoke2的虚拟IP地址172.16.1.2到公网IP地址202.100.1.2>

Spoke1的NHRP映射信息

Spoke1#show ip nhrp

172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:37:25, never expire

Type: static, Flags: used

<静态的NHRP映射>

NBMA address: 202.100.1.100

<映射Hub的虚拟IP地址172.16.1.100到公网IP地址202.100.1.100>

Spoke1 ping测试Spoke2

Spoke1#ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!.!!!

<注意:这是一个只有DM×××才能够出现的现象，DM×××为了实现零丢包特性，在还没有给分支站点做NHRP解析之前，会帮分支站点代转几个包，也就是说这个包是由中心抵达目的站点的，但是NHRP解析以后，分支站点有能力直接建立隧道和目的站点进行通讯，但是由于站点一没有站点二的arp解析，所以丢了第二个包，后面三个包，是两个分支站点间直接通信进进行转发的。>

Success rate is 80 percent (4/5), round-trip min/avg/max = 4/68/136 ms

Spoke1#show ip nhrp

172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:00:19, expire 01:59:42

Type: dynamic, Flags: router used

<NHRP服务器动态解析Spoke2的虚拟地址到公网地址>

NBMA address: 202.100.1.2

172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:41:39, never expire

Type: static, Flags: used

NBMA address: 202.100.1.100

第七部分:动态路由协议EIGRP配置

Hub动态路由协议EIGRP配置

Hub(config)#router eigrp 100 Hub(config-router)#no auto-summary Hub(config-router)#network 172.16.1.0 0.0.0.255 Hub(config-router)#network 192.168.100.0 0.0.0.255

Spoke1动态路由协议EIGRP配置

Spoke1(config)#router eigrp 100 Spoke1(config-router)#no auto-summary Spoke1(config-router)#network 172.16.1.0 0.0.0.255 Spoke1(config-router)#network 192.168.1.0 0.0.0.255

Spoke2动态路由协议EIGRP配置

Spoke2(config)#router eigrp 100 Spoke2(config-router)#no auto-summary Spoke2(config-router)#network 172.16.1.0 0.0.0.255 Spoke2(config-router)#network 192.168.2.0 0.0.0.255

第八部分:测试与调整EIGRP

查看Hub EIGRP邻居关系

Hub#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 172.16.1.2 Tu0 13 00:01:11 235 5000 0 8

0 172.16.1.1 Tu0 10 00:02:38 234 5000 0 3

<中心站点和所有的分支站点都有邻居关系>

查看Hub 通过EIGRP学习到的路由

Hub#show ip route eigrp

D 192.168.1.0/24 [90/297372416] via 172.16.1.1, 00:03:20, Tunnel0

D 192.168.2.0/24 [90/297372416] via 172.16.1.2, 00:00:54, Tunnel0

<中心站点通过动态路由协议可以学习到所有分支站点内部网络的路由>

查看Spoke1 EIGRP邻居关系

Spoke1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 172.16.1.100 Tu0 11 00:04:44 352 5000 0 16

<分支站点只会和中心站点建立动态路由协议的邻居关系，分支站点间没有邻居关系>

查看Spoke1 通过EIGRP学习到的路由

Spoke1#show ip route eigrp

D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 00:06:22, Tunnel0

<由于动态路由协议水平分割特性，分支站点只能够学习到中心站点内部网络的路由>

为了解决默认情况下，分支站点通过动态路由协议，只能够学习到中心站点内部网络路由的问题，需要在中心站点的隧道接口上关闭水平分割的特性。

Hub(config)#interface tunnel 0 Hub(config-if)#no ip split-horizon eigrp 100

中心站点关闭水平分割特性后，查看Spoke1 通过EIGRP学习到的路由

Spoke1#show ip route eigrp

D 192.168.2.0/24 [90/310172416] via 172.16.1.100, 00:02:51, Tunnel0

<Spoke1虽然学习到了Spoke2内部网络192.168.2.0/24的路由，但是路由的下一跳却是中心站点。很明显为了实现，DM×××分支站点间直接建立隧道的特性，我们希望192.168.2.0/24的下一跳应该为172.16.1.2（Spoke2隧道虚拟IP地址）。>

D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 00:02:51, Tunnel0

配置Hub优化路由

Hub(config)#interface tunnel 0 Hub(config-if)#no ip next-hop-self eigrp 100

Hub路由优化后，查看Spoke1通过EIGRP学习到的路由

Spoke1#show ip route eigrp

D 192.168.2.0/24 [90/310172416] via 172.16.1.2, 00:00:52, Tunnel0

D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 00:00:58, Tunnel0

第九部分:配置IPSec ×××

Hub IPSec ×××配置

Hub(config)#crypto isakmp policy 10 Hub(config-isakmp)#authentication pre-share Hub(config)#crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0 Hub(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac Hub(cfg-crypto-trans)#mode transport Hub(config)#crypto ipsec profile dmvpn-profile Hub(ipsec-profile)#set transform-set cisco Hub(config)#interface tunnel 0 Hub(config-if)#ip mtu 1400 <调整MTU，防止IPSec分片> Hub(config-if)#tunnel protection ipsec profile dmvpn-profile

Spoke1 IPSec ×××配置

Spoke1(config)#crypto isakmp policy 10 Spoke1(config-isakmp)#authentication pre-share Spoke1(config)#crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0 <由于分支站点间是直接建立隧道，所以共享秘密的地址应该是八个零> Spoke1(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac Spoke1(cfg-crypto-trans)#mode transport Spoke1(config)#cry ipsec profile dmvpn-profile Spoke1(ipsec-profile)#set transform-set cisco Spoke1(config)#interface tunnel 0 Spoke1(config-if)#ip mtu 1400 Spoke1(config-if)#tunnel protection ipsec profile dmvpn-profile

Spoke2 IPSec ×××配置

Spoke2(config)#crypto isakmp policy 10 Spoke2(config-isakmp)#authentication pre-share Spoke2(config)#crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0 Spoke2(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac Spoke2(cfg-crypto-trans)#mode transport Spoke2(config)#crypto ipsec profile dmvpn-profile Spoke2(ipsec-profile)#set transform-set cisco Spoke2(config)#interface tunnel 0 Spoke2(config-if)#ip mtu 1400 Spoke2(config-if)#tunnel protection ipsec profile dmvpn-profile

第十部分:查看DM×××状态

查看Hub上的IPSec SA状态

Hub#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 202.100.1.100

protected vrf: (none)

local ident (addr/mask/prot/port): (202.100.1.100/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)

<中心站点和分支站点一之间的IPSec SA>

current_peer 202.100.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 75, #pkts encrypt: 75, #pkts digest: 75

#pkts decaps: 73, #pkts decrypt: 73, #pkts verify: 73

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.100.1.100, remote crypto endpt.: 202.100.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x2F2FC538(791659832)

inbound esp sas:

spi: 0x1773EA57(393472599)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4487683/3302)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2F2FC538(791659832)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4487682/3302)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (202.100.1.100/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (202.100.1.2/255.255.255.255/47/0)

<中心站点和分支站点二之间的IPSec SA>

current_peer 202.100.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 45, #pkts encrypt: 45, #pkts digest: 45

#pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.100.1.100, remote crypto endpt.: 202.100.1.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x90A8655(151684693)

inbound esp sas:

spi: 0x3358DF64(861462372)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 3, flow_id: SW:3, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4394349/3416)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x90A8655(151684693)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 4, flow_id: SW:4, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4394349/3416)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

通过查看中心站点IPSec SA的状态，我们发现中心站点和分支站点之间的隧道是永恒建立的，只要分支站点在线这个隧道就存在。

查看Spoke1上的IPSec SA状态

Spoke1#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 202.100.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (202.100.1.100/255.255.255.255/47/0)

<正常情况分支站点只有和中心站点建立的永恒隧道>

current_peer 202.100.1.100 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 130, #pkts encrypt: 130, #pkts digest: 130

#pkts decaps: 133, #pkts decrypt: 133, #pkts verify: 133

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.1.100

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x1773EA57(393472599)

inbound esp sas:

spi: 0x2F2FC538(791659832)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4457524/3036)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x1773EA57(393472599)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4457524/3035)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

触发分支站点间的流量

Spoke1#ping 192.168.2.1 so 192.168.1.1 re 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 60/277/728 ms

查看Spole1上的IPSec SA状态

Spoke1#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 202.100.1.1

protected vrf: (none)

----------------------------忽略分支站点和中心站点间IPSec SA信息--------------------

local ident (addr/mask/prot/port): (202.100.1.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (202.100.1.2/255.255.255.255/47/0)

<按需建立的分支站点之间的IPSec SA>

current_peer 202.100.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 94, #pkts encrypt: 94, #pkts digest: 94

#pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97

<加解密包的数量不是100个，再次表明DM×××的零丢包特性，前几个包是由中心代转>

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.100.1.1, remote crypto endpt.: 202.100.1.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xBA39297E(3124308350)

inbound esp sas:

spi: 0x89539D91(2303958417)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 3, flow_id: SW:3, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4377898/3538)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xBA39297E(3124308350)

transform: esp-des esp-md5-hmac ,

in use settings ={Transport, }

conn id: 4, flow_id: SW:4, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4377899/3538)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

第十一部分:DM×××中包治百病的大招

在配置DM×××的过程当中，很可能出现配置完全正确，但是测试结果不正确的现象。这个时候就可以使用如下的大招来解决问题。请注意，配置DM×××出现不可预期的问题比较常见，但是一般都能够使用下面的办法来解决，当然前提是配置没有问题。

大招第一步:关闭所有站点的隧道接口

Hub(config)#interface tunnel 0 Hub(config-if)#shutdown Spoke1(config)#interface tunnel 0 Spoke1(config-if)#shutdown Spoke2(config)#interface tunnel 0 Spoke2(config-if)#shutdown

大招第二步:从中心站点开始打开各个站点的隧道接口

Hub(config)#interface tunnel 0 Hub(config-if)#no shutdown Spoke1(config)#interface tunnel 0 Spoke1(config-if)#no shutdown Spoke2(config)#interface tunnel 0 Spoke2(config-if)#no shutdown

如果确定配置没有问题，那么这个时候DM×××应该能够正常工作了。