DMVPN的實驗模擬與分析

此篇博客正在介紹的是下圖中的DMVPN：

 

為什么會出現DMVPN這個技術呢？

在這篇博客中https://www.cnblogs.com/huwentao/p/9355240.html介紹過Dynamic P2P GRE OVER VPN的技術，DMVPN的出現就是為了解決Dynamic P2P GRE OVER VPN技術的缺陷的。對於一個公司而言，總部的VPN路由器是相當重要的，因此一旦總部的路由器配置完成之后，無論公司是如何發展的，我們都要盡量的避免總部路由器的變更，但是Dynamic P2P GRE OVER VPN技術卻有以下缺陷，如下圖中的配置，在我們設置隧道目的地址的時候，需要在分部路由器上面設置一個環回接口，這也就代表着當分部路由器增加一台，我們就要再設置一個GRE tunnel去匹配。因此DMVPN出現了。接下來看一下DMVPN是怎么配置的吧。

 

 

拓撲結構圖如下：

拓撲圖描述：用IOU3模擬公網INTERNET，並且作為一台DHCP服務器給IOU5和IOU4分配動態的地址，現在要實現的是通過DMVPN技術實現總部和分部的路由交換和互通。總部的路由器一般被成為hub端，分部的被稱為spoke端。

 

步驟一：基礎網絡配置：

IOU1的配置：

IOU1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU1(config-if)#ip add 10.1.1.1 255.255.255.0  配置地址
IOU1(config-if)#no shutdown 
IOU1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2  設置默認路由指向10.1.1.2接口

IOU2的配置：

IOU2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU2(config)#inter e0/0 
IOU2(config-if)#ip add 10.1.1.2 255.255.255.0 
IOU2(config-if)#no shutdown 
IOU2(config-if)#inter e0/1
IOU2(config-if)#ip add 23.1.1.1 255.255.255.0 
IOU2(config-if)#no shutdown 
IOU2(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2 

IOU3的配置：

IOU3#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU3(config)#inter e0/1 
IOU3(config-if)#ip add 25.1.1.2 255.255.255.0 
IOU3(config-if)#no shutdown 
IOU3(config-if)#inter e0/2 
IOU3(config-if)#ip add 24.1.1.1 255.255.255.0 
IOU3(config-if)#no shutdown 
IOU3(config-if)#inter e0/0 
IOU3(config-if)#ip add 23.1.1.2 255.255.255.0 
IOU3(config-if)#no shutdown 
IOU3(config-if)#exit
IOU3(config)#ip dhcp pool 24DHCP    設置動態的地址池，名字為24DHCP
IOU3(dhcp-config)#network 24.1.1.0 255.255.255.0   地址池的地址范圍
IOU3(dhcp-config)#default-router 24.1.1.1      設置分發地址的默認網關地址
IOU3(dhcp-config)#exit
IOU3(config)#ip dhcp pool 25DHCP
IOU3(dhcp-config)#network 25.1.1.0 255.255.255.0
IOU3(dhcp-config)#default-router 25.1.1.2
IOU3(dhcp-config)#exit
IOU3(config)#ip dhcp excluded-address 24.1.1.1     　　除去默認網關的地址，其余地址可以分配
IOU3(config)#ip dhcp excluded-address 25.1.1.2

IOU4的配置：

IOU4#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU4(config-if)#ip address dhcp    設置接口地址通過dhcp服務器獲取
IOU4(config-if)#no shutdown 
IOU4(config-if)#
*Jul 24 00:55:56.952: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 25.1.1.3, mask 255.255.255.0, hostname IOU4
IOU4(config-if)#inte lo0 
IOU4(config-if)#ip add 192.168.2.1 255.255.255.0 
IOU4(config-if)#no shutdown 

IOU5的配置：　　

IOU5#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU5(config-if)#inter e0/0 
IOU5(config-if)#ip address dhcp 
IOU5(config-if)#no shutdown 
*Jul 24 00:58:56.869: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 24.1.1.3, mask 255.255.255.0, hostname IOU5
IOU5(config-if)#inter lo0 
IOU5(config-if)#ip add 192.168.1.1 255.255.255.0 
IOU5(config-if)#no shutdown 
IOU5(config-if)#exit

 

測試網絡：

IOU2 ping 24.1.1.3  和 ping  25.1.1.3 是可以ping通的，但是ping 192.168.1.1 和ping 192.168.2.1 是不通的

IOU2#ping 24.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
IOU2#ping 25.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 25.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
IOU2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
IOU2#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
IOU2#

 

 

步驟二：IPSEC配置

對於IOU2, IOU4, IOU5而言，它的IIPSEC的配置都是一樣的。

IOU2的配置：

IOU2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU2(config)#crypto isakmp policy 10   配置ike策略
IOU2(config-isakmp)#encryption 3des   加密算法
IOU2(config-isakmp)#group 1   密鑰交換算法
IOU2(config-isakmp)#hAsh md5     hash算法
IOU2(config-isakmp)#authentication pre-share    設置認證方法為預共享密鑰 
IOU2(config-isakmp)#exit
IOU2(config)#crypto isakmp key 0 huwentao address 0.0.0.0    設置密鑰，因為是動態的，所以address地址為  0.0.0.0 
IOU2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
IOU2(cfg-crypto-trans)#exit
IOU2(config)#crypto ipsec profile IPSEC_PROFILE        設置ipsec profile對隧道進行加密
IOU2(ipsec-profile)#set transform-set IPSEC
IOU2(ipsec-profile)#EXIT

IOU4的配置（和IOU2配置是一樣的）：

IOU2(config)#crypto isakmp policy 10 
IOU2(config-isakmp)#encryption 3des 
IOU2(config-isakmp)#group 1
IOU2(config-isakmp)#hAsh md5 
IOU2(config-isakmp)#authentication pre-share 
IOU2(config-isakmp)#exit
IOU2(config)#crypto isakmp key 0 huwentao address 0.0.0.0
IOU2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
IOU2(cfg-crypto-trans)#exit
IOU2(config)#crypto ipsec profile IPSEC_PROFILE
IOU2(ipsec-profile)#set transform-set IPSEC
IOU2(ipsec-profile)#EXIT　　

IOU5的配置（和IOU2的配置是一樣的）：

IOU2(config)#crypto isakmp policy 10 
IOU2(config-isakmp)#encryption 3des 
IOU2(config-isakmp)#group 1
IOU2(config-isakmp)#hAsh md5 
IOU2(config-isakmp)#authentication pre-share 
IOU2(config-isakmp)#exit
IOU2(config)#crypto isakmp key 0 huwentao address 0.0.0.0 
IOU2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
IOU2(cfg-crypto-trans)#exit
IOU2(config)#crypto ipsec profile IPSEC_PROFILE
IOU2(ipsec-profile)#set transform-set IPSEC
IOU2(ipsec-profile)#EXIT

　　

 

步驟三：GRE隧道配置 

隧道的設置一定要注意的是幾個地址的配置

IOU2的配置(隧道地址為1.1.1.1)：

IOU2(config)#inter tunnel 1 
*Jul 24 02:08:30.478: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed 
IOU2(config-if)#ip address 1.1.1.1 255.255.255.0       設置隧道地址為1.1.1.1
IOU2(config-if)#tunnel source e0/1        　　  設置隧道源地址為它的出接口e0/1，因為是MGRE，所以是不用設置隧道的目的地址的
IOU2(config-if)#tunnel mode gre multipoint      設置隧道的模式為MGRE
IOU2(config-if)#tunnel protection ipsec profile IPSEC_PROFILE     在隧道上應用IPSEC profile對隧道進行加密
IOU2(config-if)#
*Jul 24 02:10:39.273: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
IOU2(config-if)#bandwidth 1000          設置接口的帶寬，從而影響路由協議的距離的計算（不更改其實也是可以的），所有節點都要一致
IOU2(config-if)#ip  mtu 1400          更改mtu的值為1400，如果不更改，下一跳路由器會對數據包進行分片和重新封裝，所有節點都要一致
IOU2(config-if)#ip nhrp authentication huwentao    設置nhrp的認證密碼，所有節點的密碼都要一致
IOU2(config-if)#ip nhrp network-id  1     設置nhrp的網絡id，相當於啟用了nhrp，所有節點要一致
IOU2(config-if)#ip nhrp map multicast dynamic 自動的將spoke的地址值加入到hub中   
IOU2(config-if)#no ip  split-horizon eigrp 1　關掉水平分割，使得兩個分部的路由可以交換

IOU4的配置：

IOU4(config)#inter tunnel 1 
IOU4(config-if)#ip ad
*Jul 24 02:28:25.190: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
IOU4(config-if)#ip add 1.1.1.4 255.255.255.0 
IOU4(config-if)#tunnel source e0/0 
IOU4(config-if)#tunnel mode gre multipoint 
IOU4(config-if)#tunnel protection ipsec profile IPSEC_PROFILE 
IOU4(config-if)#no ip split-horizon eigrp 1 
IOU4(config-if)#bandwidth 1000
IOU4(config-if)#ip mtu 1400
IOU4(config-if)#ip nhrp authentication huwentao
IOU4(config-if)#ip nhrp map 1.1.1.1 23.1.1.1     設置hub端的隧道地址和源地址的映射，1.1.1.1是IOU2的隧道地址，23.1.1.1為IOU2的出接口的地址
IOU4(config-if)#ip nhrp map multicast 23.1.1.1    開啟組播功能，以及動態路由協議的功能，hub端的地址為23.1.1.1
IOU4(config-if)#ip nhrp network-id 1
IOU4(config-if)#ip nhrp nhs 1.1.1.1    這個地址一定注意，是hub端的隧道地址，也就是IOU2的隧道地址（我在這個地方掉進過一次，排查了好長時間才發現原來是這個地方配置錯了）

IOU5的配置（和IOU4的配置是一樣的，只是隧道的地址改一下就可以了）：

IOU4(config)#inter tunnel 1 
IOU4(config-if)#ip ad
*Jul 24 02:28:25.190: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
IOU4(config-if)#ip add 1.1.1.5 255.255.255.0    配置隧道的地址
IOU4(config-if)#tunnel source e0/0 
IOU4(config-if)#tunnel mode gre multipoint 
IOU4(config-if)#tunnel protection ipsec profile IPSEC_PROFILE 
IOU4(config-if)#no ip split-horizon eigrp 1 
IOU4(config-if)#bandwidth 1000
IOU4(config-if)#ip mtu 1400
IOU4(config-if)#ip nhrp authentication huwentao
IOU4(config-if)#ip nhrp map 1.1.1.1 23.1.1.1
IOU4(config-if)#ip nhrp map multicast 23.1.1.1
IOU4(config-if)#ip nhrp network-id 1
IOU4(config-if)#ip nhrp nhs 1.1.1.1

　　

 查看IOU2 ping 1.1.1.4 和ping 1.1.1.5都是可以ping通的，說明MGRE隧道已經建立成功：

IOU2#ping 1.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
IOU2#ping 1.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/13/16 ms
IOU2#

查看IOU2 show  ip  nhrp發現有1.1.1.4和1.1.1.5對應的接口地址信息

IOU2#show ip nhrp 
1.1.1.4/32 via 1.1.1.4
   Tunnel1 created 00:06:01, expire 01:54:00
   Type: dynamic, Flags: unique registered 
   NBMA address: 25.1.1.4 
1.1.1.5/32 via 1.1.1.5
   Tunnel1 created 00:05:54, expire 01:54:06
   Type: dynamic, Flags: unique registered 
   NBMA address: 24.1.1.2 

查看IOU2 show crypto isakmp peers 發現有兩個對等體已經建立成功，已經sa也已經建立成功。

IOU2#show crypto isakmp peers 
Peer: 24.1.1.2 Port: 500 Local: 23.1.1.1
 Phase1 id: 24.1.1.2
Peer: 25.1.1.4 Port: 500 Local: 23.1.1.1
 Phase1 id: 25.1.1.4
IOU2#show crypto isakmp sa    
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
23.1.1.1        24.1.1.2        QM_IDLE           1006 ACTIVE
23.1.1.1        25.1.1.4        QM_IDLE           1005 ACTIVE

IPv6 Crypto ISAKMP SA

IOU2#

查看IOU2 show crypto ipsec sa 發現有兩個sa分別是和IOU4和IOU5建立的。

IOU2#SHOW crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 23.1.1.1  

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (24.1.1.2/255.255.255.255/47/0) 代表的是和24.1.1.2建立了ipsec sa用來加密數據。
   current_peer 24.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.1.1.1, remote crypto endpt.: 24.1.1.2
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0xFC42BCA6(4232232102)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x55EA3DDB(1441414619)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: SW:15, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4284915/2516)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFC42BCA6(4232232102)
        transform: esp-3des esp-md5-hmac ,  定義的ipsec的交換集
        in use settings ={Tunnel, }     定義的ipsec的加密模式
        conn id: 16, flow_id: SW:16, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4284915/2516)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (25.1.1.4/255.255.255.255/47/0)代表的是和25.1.1.4建立的ipsec sa，用來加密數據的額
   current_peer 25.1.1.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.1.1.1, remote crypto endpt.: 25.1.1.4
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x3D0D283B(1024272443)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xAFF87D4(184518612)
        transform: esp-3des esp-md5-hmac ,  定義的ipsec交換集
        in use settings ={Tunnel, }
        conn id: 13, flow_id: SW:13, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4265113/2510)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3D0D283B(1024272443)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: SW:14, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4265113/2510)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:        

 

 

步驟四：路由交換配置

IOU2的配置：

IOU2(config)#router eigrp 1
IOU2(config-router)#no au
IOU2(config-router)#no auto-summary 
IOU2(config-router)#networ
IOU2(config-router)#network 1.1.1.1 255.255.255.0 
IOU2(config-router)#network
IOU2(config-router)#network 10.1.1.0 255.255.255.0 
IOU2(config-router)#exit

IOU4的配置：

IOU4(config)#router eigrp 1
IOU4(config-router)#no auto-summary 
IOU4(config-router)#network 1.1.1.0 255.255.255.0 
*Jul 24 13:40:34.320: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 1.1.1.1 (Tunnel1) is up: new adjacency
IOU4(config-router)#network 192.168.2.0 255.255.255.0 
IOU4(config-router)#exit

IOU5的配置：

IOU5(config)#router eigrp 1
IOU5(config-router)#no auto-summary 
IOU5(config-router)#network 1.1.1.0 255.255.255.0 
*Jul 24 13:41:26.047: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 1.1.1.1 (Tunnel1) is up: new adjacency
IOU5(config-router)#network 192.168.1.0 255.255.255.0 
IOU5(config-router)#

　　

 查看IOU2的eigrp鄰居信息和路由表，發現已經能夠學習到路由了：

IOU2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   1.1.1.5                 Tu1                      13 00:02:19   10   132  0  4
0   1.1.1.4                 Tu1                      13 00:03:10    1   132  0  5
IOU2#show ip ro
IOU2#show ip route  
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 23.1.1.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 23.1.1.2
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, Tunnel1
L        1.1.1.1/32 is directly connected, Tunnel1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Ethernet0/0
L        10.1.1.2/32 is directly connected, Ethernet0/0
      23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        23.1.1.0/24 is directly connected, Ethernet0/1
L        23.1.1.1/32 is directly connected, Ethernet0/1
      192.168.1.0/32 is subnetted, 1 subnets
D        192.168.1.1 [90/3968000] via 1.1.1.5, 00:02:30, Tunnel1
      192.168.2.0/32 is subnetted, 1 subnets
D        192.168.2.1 [90/3968000] via 1.1.1.4, 00:03:24, Tunnel1
IOU2#

但是對於IOU4和IOU5只和IOU2建立鄰居，因為IOU4和IOU5之間是沒有模擬隧道的，所以建立不了eigrp鄰居

IOU4#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   1.1.1.1                 Tu1                      12 00:05:58   13   138  0  6
IOU4#
IOU5#show ip eigrp neighbors  
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   1.1.1.1                 Tu1                      14 00:05:32   17   138  0  6

由於我們關閉了EIGRP的水平分割，因此IOU4和IOU5都有對方的路由：

IOU5#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 24.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 24.1.1.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, Tunnel1
L        1.1.1.5/32 is directly connected, Tunnel1
      10.0.0.0/24 is subnetted, 1 subnets
D        10.1.1.0 [90/3865600] via 1.1.1.1, 00:05:39, Tunnel1
      24.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        24.1.1.0/24 is directly connected, Ethernet0/0
L        24.1.1.2/32 is directly connected, Ethernet0/0
      192.168.1.0/32 is subnetted, 1 subnets
C        192.168.1.1 is directly connected, Loopback0
      192.168.2.0/32 is subnetted, 1 subnets
D        192.168.2.1 [90/5248000] via 1.1.1.1, 00:05:39, Tunnel1
IOU5#




IOU4#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   1.1.1.1                 Tu1                      12 00:05:58   13   138  0  6
IOU4#show ip rout
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 25.1.1.2 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 25.1.1.2
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, Tunnel1
L        1.1.1.4/32 is directly connected, Tunnel1
      10.0.0.0/24 is subnetted, 1 subnets
D        10.1.1.0 [90/3865600] via 1.1.1.1, 00:10:02, Tunnel1
      25.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        25.1.1.0/24 is directly connected, Ethernet0/0
L        25.1.1.4/32 is directly connected, Ethernet0/0
      192.168.1.0/32 is subnetted, 1 subnets
D        192.168.1.1 [90/5248000] via 1.1.1.1, 00:08:54, Tunnel1
      192.168.2.0/32 is subnetted, 1 subnets
C        192.168.2.1 is directly connected, Loopback0
IOU4#

 

 

測試結果：

IOU2去ping IOU4和IOU5,可以ping 通，中間的被隧道所隱藏:

IOU2#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.5 5 msec 5 msec 5 msec


IOU2#traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.4 5 msec 5 msec 5 msec
IOU2#

IOU4去ping IOU2和IOU5：

IOU4#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.1 6 msec 5 msec 2 msec
  2 10.1.1.1 5 msec 6 msec 5 msec

IOU4#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.1 5 msec 6 msec 4 msec
  2 1.1.1.1 4 msec 5 msec 5 msec
  3 1.1.1.5 5 msec 5 msec 7 msec
IOU4#

 

為了不讓IOU2進行中轉，因此在IOU2上面配置：

IOU2(config)#interface tunnel 1
IOU2(config-if)#no ip next-hop-self eigrp 1
IOU2(config-if)#

重新ping 192.168.1.1就會發現，不在向IOU2進行詢問，直接從1.1.1.5發出去了：

Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.5 4 msec 4 msec 5 msec
IOU4#

 

 

小小技巧：

配置沒有問題，但是就是沒有辦法ping通的時候：從hub端開始，依次在internet tunnel 【number】下shutdown之后，再重新no  shutdown一下

例如此配置：

操作一：shutdown

先shutdownIOU2
IOU2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU2(config)#inter
IOU2(config)#interface tu
IOU2(config)#interface tunnel 1
IOU2(config-if)#shutdown


然后shutdown IOU4和IOU5 
IOU4(config)#interface tunnel 1
IOU4(config-if)#shutdown

IOU5(config)#interface tunnel 1
IOU5(config-if)#shutdown

操作二：no shutdown 

先no shutdownIOU2
IOU2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
IOU2(config)#inter
IOU2(config)#interface tu
IOU2(config)#interface tunnel 1
IOU2(config-if)#no shutdown


然后shutdown IOU4和IOU5 
IOU4(config)#interface tunnel 1
IOU4(config-if)#no shutdown

IOU5(config)#interface tunnel 1
IOU5(config-if)#no  shutdown