27 Апреля 2017
Маршрутизатор Huawei AR в сети Cisco DMVPN

Очень часто нас спрашивают: будет ли работать маршрутизатор Huawei AR в сети Cisco построенной с использованием технологии DMVPN ?

Пример: Есть филиальная сеть на базе оборудования Cisco. В центре установлен маршрутизатор (hub) Cisco с которым соединяются маршрутизаторы (spoke) Cisco из филиалов. Работает технология DMVPN в составе: NHRP + mGRE + IPSEC + OSFP. Можно ли включить в такую сеть маршрутизатор Huawei AR в качестве spoke ?

Ответ – да. С использованием технологии Huawei DSVPN.

В данной статье не будем описывать технологию Cisco DMVPN. Информацию можно легко найти в сети Интернет. Huawei предлагает полностью совместимую технологию с Cisco – DSVPN, которая так же состоит из: mGRE, NHRP, IPSEC и протоколов динамической маршрутизации.

Отметим особенности лицензирования Huawei AR: Для запуска функционала DSVPN потребуются лицензии Security и DSVPN

Работоспособность покажем на лабораторном стенде в LWCOM:

Схема сети

Схема сети

Описание

Используем маршрутизаторы Cisco 2811 IOS 12.4(24)T и Huawei AR160 V200R007

Проверку будем осуществлять, запуская ICMP echo между интерфейсами Loopback маршрутизаторов Cisco и Huawei

Начальные настройки

Настраиваем маршрутизацию между внешними интерфейсами, а также проверяем отсутствие трафика между интерфейсами loopback без туннеля.


Huawei

                interface GigabitEthernet0/0/0

                undo portswitch

                ip address 172.16.0.1 255.255.255.252

                ip route-static 0.0.0.0 0.0.0.0 172.16.0.2

                interface LoopBack0

                ip address 10.0.0.1 255.255.255.255

               ping 10.0.0.2

                PING 10.0.0.2: 56 data bytes, press CTRL_C to break

                    Request time out

                    Request time out

                    Request time out

                    Request time out

                    Request time out

                --- 10.0.0.2 ping statistics ---

                    5 packet(s) transmitted

                    0 packet(s) received

                    100.00% packet loss

Cisco

                interface FastEthernet0/0

                ip address 172.16.1.1 255.255.255.252

                ip route 0.0.0.0 0.0.0.0 172.16.1.2

                interface Loopback0

                ip address 10.0.0.2 255.255.255.255

                ping 10.0.0.1

                Type escape sequence to abort.

                Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

                .....

                Success rate is 0 percent (0/5)

               

Настраиваем mGRE + NHRP

Проверяем работоспособность туннеля без шифрования. Статическая маршрутизация

Huawei

                interface Tunnel0/0/0

                ip address 192.168.0.1 255.255.255.252

                tunnel-protocol gre p2mp

                source GigabitEthernet0/0/0

                nhrp authentication simple 123

                nhrp network-id 1

                nhrp entry 192.168.0.2 172.16.1.1 register

 

                ip route-static 10.0.0.2 255.255.255.255 192.168.0.2

 

                ping 10.0.0.2

               PING 10.0.0.2: 56 data bytes, press CTRL_C to break

                    Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=1 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=1 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=2 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=1 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=1 ms

              --- 10.0.0.2 ping statistics ---

                    5 packet(s) transmitted

                    5 packet(s) received

                    0.00% packet loss

                    round-trip min/avg/max = 1/1/2 ms

                display nhrp peer all

                -------------------------------------------------------------------------------

                Protocol-addr   Mask NBMA-addr       NextHop-addr    Type         Flag

                -------------------------------------------------------------------------------

                192.168.0.2     32    172.16.1.1      192.168.0.2     static       hub

                -------------------------------------------------------------------------------

                Tunnel interface: Tunnel0/0/0

                Created time    : 00:20:51

                Expire time     : --

               

                Number of nhrp peers: 1

Cisco

interface Tunnel0

ip address 192.168.0.2 255.255.255.252

no ip redirects

ip nhrp authentication 123

ip nhrp map multicast dynamic

ip nhrp network-id 123

tunnel source FastEthernet0/0

tunnel mode gre multipoint

ip route 10.0.0.1 255.255.255.255 192.168.0.1

ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

sh ip nhrp

192.168.0.1/32 via 192.168.0.1

   Tunnel0 created 00:19:25, expire 01:43:54

   Type: dynamic, Flags: unique registered used

   NBMA address: 172.16.0.1


Настраиваем IPSEC

Проверяем работоспособность туннеля с шифрованием. Статическая маршрутизация

Huawei

                ipsec invalid-spi-recovery enable

                ipsec proposal pro1

                esp authentication-algorithm sha1

                esp encryption-algorithm 3des

                ike proposal 5

                encryption-algorithm 3des-cbc

                dh group2

                authentication-algorithm md5

                prf hmac-sha1

                ike peer Cisco1 v1

                pre-shared-key simple 123

                ike-proposal 5

                ipsec profile profile1

                ike-peer Cisco1

                proposal pro1

                interface Tunnel0/0/0

                ipsec profile profile1

                ping 10.0.0.2

                PING 10.0.0.2: 56 data bytes, press CTRL_C to break

                    Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=2 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=2 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=3 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=2 ms

                    Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=3 ms

                --- 10.0.0.2 ping statistics ---

                    5 packet(s) transmitted

                    5 packet(s) received

                    0.00% packet loss

                    round-trip min/avg/max = 2/2/3 ms

                display ike sa

                    Conn-ID Peer            VPN   Flag(s)                Phase

                ---------------------------------------------------------------

                       15    172.16.1.1      0     RD|ST                  2

                       14    172.16.1.1      0     RD|ST                  1

                Flag Description:

                RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

                HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

                display ipsec sa

                ===============================

                Interface: Tunnel0/0/0

                Path MTU: 1500

                ===============================

                -----------------------------

                IPSec profile name: "profile1"

                Mode              : PROF-ISAKMP

                -----------------------------

                    Connection ID     : 15

                    Encapsulation mode: Tunnel

                    Tunnel local      : 172.16.0.1

                    Tunnel remote     : 172.16.1.1

                    Qos pre-classify : Disable

                    Qos group         : -

                    [Outbound ESP SAs]

                      SPI: 3526316683 (0xd22f528b)

                      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

                      SA remaining key duration (bytes/sec): 1887390829/3410

                      Outpacket count       : 372

                      Outpacket encap count : 372

                      Outpacket drop count : 0

                      Max sent sequence-number: 372

                      UDP encapsulation used for NAT traversal: N

                    [Inbound ESP SAs]

                      SPI: 1312543024 (0x4e3bd130)

                      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

                      SA remaining key duration (bytes/sec): 1887390561/3410

                      Inpacket count        : 374

                      Inpacket decap count : 374

                      Inpacket drop count   : 0

                      Max received sequence-number: 374

                      Anti-replay window size: 32

                      UDP encapsulation used for NAT traversal: N

Cisco

                crypto isakmp policy 10

                encr 3des

                hash md5

                authentication pre-share

                group 2

                crypto isakmp key 123 address 172.16.0.1

                crypto isakmp invalid-spi-recovery

                crypto ipsec transform-set trans esp-3des esp-sha-hmac

                mode transport

                crypto ipsec profile ipsec

                set transform-set trans

                interface Tunnel0

                tunnel protection ipsec profile ipsec

                ping 10.0.0.1

                Type escape sequence to abort.

                Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

                !!!!!

                Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

                sh crypto isakmp sa

                IPv4 Crypto ISAKMP SA

                dst             src             state          conn-id status

                172.16.1.1      172.16.0.1      QM_IDLE           1003 ACTIVE

                IPv6 Crypto ISAKMP SA

                sh crypto session

                Crypto session current status

                Interface: Tunnel0

                Session status: UP-ACTIVE

                Peer: 172.16.0.1 port 500

                IKE SA: local 172.16.1.1/500 remote 172.16.0.1/500 Active

                IPSEC FLOW: permit 47 host 172.16.1.1 host 172.16.0.1

                        Active SAs: 2, origin: crypto map

                sh crypto ipsec sa

                interface: Tunnel0

                    Crypto map tag: Tunnel0-head-0, local addr 172.16.1.1

                   protected vrf: (none)

                   local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)

                   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)

                   current_peer 172.16.0.1 port 500

                     PERMIT, flags={origin_is_acl,}

                    #pkts encaps: 364, #pkts encrypt: 364, #pkts digest: 364

                    #pkts decaps: 362, #pkts decrypt: 362, #pkts verify: 362

                    #pkts compressed: 0, #pkts decompressed: 0

                    #pkts not compressed: 0, #pkts compr. failed: 0

                    #pkts not decompressed: 0, #pkts decompress failed: 0

                    #send errors 0, #recv errors 0

                     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.0.1

                     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

                     current outbound spi: 0x4E3BD130(1312543024)

                     PFS (Y/N): N, DH group: none

                     inbound esp sas:

                      spi: 0xD22F528B(3526316683)

                        transform: esp-3des esp-sha-hmac ,

                        in use settings ={Tunnel, }

                        conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: Tunnel0-head-0

                        sa timing: remaining key lifetime (k/sec): (1751214/3545)

                        IV size: 8 bytes

                        replay detection support: Y

                        Status: ACTIVE

                     inbound ah sas:

                     inbound pcp sas:

                     outbound esp sas:

                      spi: 0x4E3BD130(1312543024)

                        transform: esp-3des esp-sha-hmac ,

                        in use settings ={Tunnel, }

                        conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: Tunnel0-head-0

                        sa timing: remaining key lifetime (k/sec): (1751214/3545)

                        IV size: 8 bytes

                        replay detection support: Y

                        Status: ACTIVE

                     outbound ah sas:

                     outbound pcp sas:

Настраиваем OSPF

Заменяем статическую маршрутизацию на динамическую OSPF

Huawei

                interface Tunnel0/0/0

                ospf network-type p2p

                ospf 1

                area 0.0.0.0

                network 10.0.0.1 0.0.0.0

                network 192.168.0.0 0.0.0.3

                display ospf peer

                         OSPF Process 1 with Router ID 172.16.0.1

                                 Neighbors

                Area 0.0.0.0 interface 192.168.0.1(Tunnel0/0/0)'s neighbors

                Router ID: 10.0.0.2         Address: 192.168.0.2

                   State: Full Mode:Nbr is Slave Priority: 1

                   DR: None   BDR: None   MTU: 1476

                   Dead timer due in 39 sec

                   Retrans timer interval: 5

                   Neighbor is up for 00:03:04

                   Authentication Sequence: [ 0 ]

                display ip routing-table protocol ospf

                Route Flags: R - relay, D - download to fib

                ------------------------------------------------------------------------------

                Public routing table : OSPF

                         Destinations : 1        Routes : 1

                OSPF routing table status : <Active>

                         Destinations : 1        Routes : 1

                Destination/Mask    Proto   Pre Cost      Flags NextHop         Interface

                       10.0.0.2/32 OSPF    10   1563        D   192.168.0.2     Tunnel0/0/0

                OSPF routing table status : <Inactive>

                         Destinations : 0        Routes : 0

Cisco

                interface Tunnel0

                ip ospf network point-to-point

                router ospf 1

                log-adjacency-changes

                network 10.0.0.2 0.0.0.0 area 0

                network 192.168.0.0 0.0.0.3 area 0

                sh ip ospf neighbor

                Neighbor ID     Pri   State           Dead Time   Address         Interface

                172.16.0.1        0   FULL/ -        00:00:35    192.168.0.1     Tunnel0

                sh ip route ospf

                     10.0.0.0/32 is subnetted, 2 subnets

                O       10.0.0.1 [110/1000] via 192.168.0.1, 00:01:37, Tunnel0


Выводы

Маршрутизаторы Huawei могут без проблем быть интегрированы в сеть, построенную на сетевом оборудовании Cisco.

Не верите ? Возьмите у нас маршрутизатор Huawei AR в бесплатный тест!