Table of contents
Setting up the GRE environment
RIP network in MGRE environment
VPN
Speaking of GRE, let’s first talk about something that everyone is familiar with, that is VPN technology.
Background requirements
Enterprises, organizations, merchants, etc. have strong demand for private networks.
High performance, high speed and high security are the obvious advantages of private networks.
Physical dedicated networks are expensive and difficult to implement physically. The traditional methods of leased lines or dial-up networks are increasingly unsuitable. (low cost performance)
VPN---Vitual Private Network, *Virtual Private Network): refers to a dedicated secure data communication network built on public network infrastructure relying on ISP or other NSP, but this dedicated line network is logical rather than physical , so it is called a virtual private network.
Virtual: Users no longer need to own actual long-distance data lines, but instead use public network resources to build their own private network.
Dedicated: Users can customize the network that best suits their needs.
Core technology: tunnel technology
GRE
The core of VPN technology is actually tunnel technology. The GRE we are going to talk about today is actually a tunnel encapsulation technology.
Tunnel technology : At both ends of the tunnel, a data channel is established on the public network through encapsulation and decapsulation technology, and this channel is used for data transmission.
GRE --- Generic routing encapsulation , standard three-layer tunnel technology, is a point-to-point tunnel
Setting up the GRE environment
Here you can first use ENSP to build a GRE working environment for demonstration and explanation.
Build the schematic topology as above. Our current need is to ensure that the 1.0 network segment on the left can normally access the 2.0 network segment on the right through GRE technology.
Let us first match everything we should match according to what we have learned now. The IPs of R1, R2, R3, and the default route to the ISP router should be configured on R1, R3. After configuration, 12.0.0.1 should
It should be possible to ping 23.0.0.1. Of course, it is definitely impossible to connect the private IP addresses on both sides.
In fact, the principle of this tunnel is very simple, that is, we pretend that there is a virtual link in the middle to connect the routers on both sides. This virtual link also needs to be on an intranet segment
among. If we configure it this way, there will definitely be no problem. The problem is that once the data packet is configured, there is no way to use this virtual link, because it does not exist. Data can still only be obtained from
Real links come out of real interfaces.
Therefore, GRE is needed to help carry the traffic.
GRE test
Experimental steps:
Step 1: Configure IP address
R1 configuration:
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]ip address 12.1.1.1 24
R2 configuration
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 12.1.1.2 24
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 23.1.1.2 24
R3 configuration
[R3]interface g0/0/0
[R3-GigabitEthernet0/0/0]ip address 23.1.1.3 24
[R3]interface g0/0/1
[R3-GigabitEthernet0/0/1]ip address 34.1.1.3 24
R4 configuration
[R4]interface g0/0/0
[R4-GigabitEthernet0/0/0]ip address 34.1.1.4 24
[R4]interface g0/0/1
[R4-GigabitEthernet0/0/1]ip address 192.168.2.1 24
Step 2: Internet routing configuration, OSPF is used here
R2 configuration
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 12.1.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 23.1.1.0 0.0.0.255
R3 configuration
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 23.1.1.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 34.1.1.0 0.0.0.255
Step 3: Configure intranet default route
R1 configuration
[R1]ip route-static 0.0.0.0 0 12.1.1.2
R4 configuration
[R4]ip route-static 0.0.0.0 0 34.1.1.3
Step 4: Configure NAT
R1 configuration
[R1]acl 2000
[R1-acl-basic-2000]rule 1 permit source any
[R1-acl-basic-2000]q
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000
R4 configuration
[R4]acl 2000
[R4-acl-basic-2000]rule 1 permit source any
[R4-acl-basic-2000]q
[R4]interface g0/0/0
[R4-GigabitEthernet0/0/0]nat outbound 2000
Step 5: Configure GRE
R1 configuration
[R1]interface Tunnel 0/0/0 //Create tunnel port
[R1-Tunnel0/0/0]tunnel-protocol gre //Define the encapsulation method as GRE
[R1-Tunnel0/0/0]ip address 10.1.1.1 24 //Configure the tunnel IP address
[R1-Tunnel0/0/0]source 12.1.1.1 //Define the encapsulated content source
[R1-Tunnel0/0/0]destination 34.1.1.4 //Define the encapsulation content target
R4 configuration
[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]tunnel-protocol gre
[R4-Tunnel0/0/0]ip address 10.1.1.2 24
[R4-Tunnel0/0/0]source 34.1.1.4
[R4-Tunnel0/0/0]destination 12.1.1.1
Step 6: Write a static route pointing to the tunnel
[R1]ip route-static 192.168.2.0 24 Tunnel 0/0/0
[R4]ip route-static 192.168.1.0 24 Tunnel 0/0/0
Step 7: Test
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
From 192.168.2.2: bytes=32 seq=3 ttl=126 time=47 ms
From 192.168.2.2: bytes=32 seq=4 ttl=126 time=31 ms
From 192.168.2.2: bytes=32 seq=5 ttl=126 time=47 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
3 packet(s) received
40.00% packet loss
round-trip min/avg/max = 0/41/47 ms
GRE message structure
When GRE encapsulates data, it will add GRE header information and new transport protocol header information.
When GRE encapsulates a message, the message before encapsulation becomes the payload, and the protocol of the message before encapsulation becomes the passenger protocol. Then GRE will encapsulate the GRE header, and GRE becomes the encapsulation protocol, also called the carrier protocol. Finally, it is responsible for the encapsulation of the message. The protocol used to forward messages becomes the transport protocol.
MGRE
Of course, GRE itself still has flaws. The main reason is that the channel it creates is a point-to-point tunnel, resulting in poor scalability. If there are multiple branches that need to be connected to the headquarters and merged into a private network, there will be too many channels that need to be opened using GRE technology.
In this scenario, another technology can be used, MGRE , which is the multipoint general routing encapsulation protocol.
In this scenario, if you want to merge four private networks into one private network and use a GRE tunnel, you need to open a tunnel between the four private networks, which is obviously inconvenient. We hope that all private networks can be connected with one network segment like the MA network. The logical diagram of the virtual link should look like this.
But there is a problem with this. Our GRE is a point-to-point virtual tunnel. When sending, it must specify the source IP and destination IP to be encapsulated. In this scenario, he has no way to specify a specific target IP. Therefore, the core task of MGRE is to find a way to make this process dynamic. The target address will be modified to whomever I communicate with.
Here you need to use the assistance of a protocol, which is the NHRP protocol.
NHRP---Next Hop Resolution Protocol**.--The principle is also very simple. We select an egress physical IP in these private networks and it will not change as the center of NHRP (NHS--Next Hop Server). In this way, the remaining branches can all know the tunnel IP and physical IP of the center. Then, NHRP requires all branches to send their physical interface IP and tunnel IP to NHS. (If it changes, it needs to be resent.) In this way, our NHS will dynamically record the address mapping relationships of all branches locally. Just check it when sending a message. If you need to send information between branches and obtain this mapping relationship, you need to ask the NHS first.
We found that the logical topology we built with MGRE also has multiple nodes in the network, but it is still a point-to-point transmission when sending, and there is no broadcast or multicast behavior. Therefore, we can approximate such a network It is regarded as an NBMA network (this is a logical NBMA, which is simulated by technology. The real physical NBMA network needs to be built by frame relay technology, and we will not study it.)
MGRE configuration
Based on the above environment, the MGRE environment is built.
After the configuration is completed, we can use the command: [r1]display nhrp peer all
Then complete the routing information to complete the communication process.
Step 1: Configure IP address
Step 2: Configure intranet default route
[R1]ip route-static 0.0.0.0 0 15.1.1.5
[R2]ip route-static 0.0.0.0 0 25.1.1.5
[R3]ip route-static 0.0.0.0 0 35.1.1.5
[R4]ip route-static 0.0.0.0 0 45.1.1.5
Step 3: Configure NAT
R1
[R1]acl 2000
[R1-acl-basic-2000]rule 1 permit source any
[R1-acl-basic-2000]q
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2000
R2
[R2]acl 2000
[R2-acl-basic-2000]rule 1 permit source any
[R2-acl-basic-2000]q
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]nat outbound 2000
R3
[R3]acl 2000
[R3-acl-basic-2000]rule 1 permit source any
[R3-acl-basic-2000]q
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]nat outbound 2000
R4
[R4]acl 2000
[R4-acl-basic-2000]rule 1 permit source any
[R4-acl-basic-2000]q
[R4]interface GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]nat outbound 2000
R5
[R5]acl 2000
[R5-acl-basic-2000]rule 1 permit source any
[R5-acl-basic-2000]q
[R5]interface GigabitEthernet 0/0/0
[R5-GigabitEthernet0/0/0]nat outbound 2000
Step 4: Configure MGRE
Central site R1:
[R1]interface Tunnel 0/0/0 Create tunnel port
[R1-Tunnel0/0/0]ip address 10.1.1.1 24 Configure the interface ip address
[R1-Tunnel0/0/0]tunnel-protocol gre p2mp First change the interface mode to multipoint
[R1-Tunnel0/0/0]source 15.1.1.1 and then define the public IP address
[R1-Tunnel0/0/0]nhrp network-id 100
branch site
R2:
[R2]interface Tunnel 0/0/0
[R2-Tunnel0/0/0]ip address 10.1.1.2 24
[R2-Tunnel0/0/0]tunnel-protocol gre p2mp
[R2-Tunnel0/0/0]source 25.1.1.2
[R2-Tunnel0/0/0]nhrp network-id 100
[R2-Tunnel0/0/0]nhrp entry 10.1.1.1 15.1.1.1 register
R3
[R3]interface Tunnel 0/0/0
[R3-Tunnel0/0/0]ip address 10.1.1.3 24
[R3-Tunnel0/0/0]tunnel-protocol gre p2mp
[R3-Tunnel0/0/0]source 35.1.1.3
[R3-Tunnel0/0/0]nhrp network-id 100
[R3-Tunnel0/0/0]nhrp entry 10.1.1.1 15.1.1.1 register
R4
[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip address 10.1.1.4 24
[R4-Tunnel0/0/0]tunnel-protocol gre p2mp
[R4-Tunnel0/0/0]source 45.1.1.4
[R4-Tunnel0/0/0]nhrp network-id 100
[R4-Tunnel0/0/0]nhrp entry 10.1.1.1 15.1.1.1 register
Step 5: Write static routing
R1:
[R1]ip route-static 192.168.2.0 24 10.1.1.2
[R1]ip route-static 192.168.3.0 24 10.1.1.3
[R1]ip route-static 192.168.4.0 24 10.1.1.4
R2:
[R2]ip route-static 192.168.1.0 24 10.1.1.1
[R2]ip route-static 192.168.3.0 24 10.1.1.3
[R2]ip route-static 192.168.4.0 24 10.1.1.4
R3:
[R3]ip route-static 192.168.1.0 24 10.1.1.1
[R3]ip route-static 192.168.2.0 24 10.1.1.2
[R3]ip route-static 192.168.4.0 24 10.1.1.4
R4:
[R4]ip route-static 192.168.1.0 24 10.1.1.1
[R4]ip route-static 192.168.2.0 24 10.1.1.2
[R4]ip route-static 192.168.3.0 24 10.1.1.3
RIP network in MGRE environment
The process of completing the route here can be completed by the simplest static route, which can also be completed by the dynamic routing protocol. Here, we first complete the route acquisition in the MGRE environment through the RIP protocol. As for the OSPF protocol, we will later After learning the details of OSPF, let's try it again.
Note that when making RIP announcements, you only need to announce the loopback network segment (private network segment) and the tunnel network segment. The public network interface does not need to be activated because it is not required to send and receive RIP data. There is no need for its routing information. We use the default routing for this part, which we have configured from the beginning.
Of course, after completing the RIP configuration operation, we will find that there are some problems with the network in this environment, and the results are not exactly as we expected. We summarize as follows:
Use RIP in MGRE environment to obtain routing information of unknown network segments
1. Only the center obtains the routing information of the branch , but the branch does not obtain the routing information of the center.
----Solution--- Enable pseudo broadcast on the center . ---Achieve a broadcast-like effect by sending data packets to all branches separately.
[r1-Tunnel0/0/0]nhrp entry multicast dynamic
2. After the branch turns on pseudo broadcast in the center, it can only obtain the routing information of the center, but cannot obtain the routing information between branches.
The main reason is that Huawei equipment has RIP split horizon turned on by default, so the center will no longer send learned branch routes from the tunnel interface to other branch solutions---turn off interface split horizon.
[r1-Tunnel0/0/0]undo rip split-horizon
MGRE experiment
Experimental steps
Step 1: IP address planning
PC address
Device address gateway
PC1 192.168.1.2/24 192.168.1.2/24
PC2 192.168.2.2/24 192.168.2.1/24
PC3 192.168.3.2/24 192.168.3.1/24
PC4 192.168.4.2/24 192.168.4.1/24
Device address
Device interface address
R1 S4/0/0 15.1.1.1/24
R2 S4/0/0 25.1.1.2/24
R3 S4/0/0 35.1.1.3/24
R4 S4/0/0 45.1.1.4/24
R5 S4/0/0 15.1.1.5/24
S4/0/1 25.1.1.5/24
S3/0/0 35.1.1.5/24
G0/0/0 45.1.1.5/24
loopback0 5.5.5.5/24
Step 2: Configure IP address
R1 configuration
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1]interface s4/0/0
[R1-Serial4/0/0]ip address 15.1.1.1 24
R2 configuration
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.2.1 24
[R2]interface s4/0/0
[R2-Serial4/0/0]ip address 25.1.1.2 24
R3 configuration
[R3]interface g0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.3.1 24
[R3]interface s4/0/0
[R3-Serial4/0/0]ip address 35.1.1.3 24
R4 configuration
[R4]interface g0/0/0
[R4-GigabitEthernet0/0/0]ip address 45.1.1.4 24
[R4]interface g0/0/1
[R4-GigabitEthernet0/0/1]ip address 192.168.4.1 24
R5 configuration
interface Serial3/0/0
ip address 35.1.1.5 255.255.255.0
interface Serial4/0/0
ip address 15.1.1.5 255.255.255.0
interface Serial4/0/1
ip address 25.1.1.5 255.255.255.0
interface GigabitEthernet0/0/0
ip address 45.1.1.5 255.255.255.0
Step 3: Configure default route
[R1]ip route-static 0.0.0.0 0 15.1.1.5
[R2]ip route-static 0.0.0.0 0 25.1.1.5
[R3]ip route-static 0.0.0.0 0 35.1.1.5
[R4]ip route-static 0.0.0.0 0 45.1.1.5
Step 4: NAT
[R1]acl 2000
[R1-acl-basic-2000]rule 1 permit source any
[R1-acl-basic-2000]q
[R1]inter s4/0/0
[R1-Serial4/0/0]nat outbound 2000
Step 5: PAP certification
Primary authenticator configuration
[R5]aaa
[R5-aaa]local-user huawei password cipher huawei
[R5-aaa]local-user huawei service-type ppp
[R5]interface s4/0/0
[R5-Serial4/0/0]ppp authentication-mode pap
Authenticated party configuration
[R1]interface s4/0/0
[R1-Serial4/0/0]ppp pap local-user huawei password cipher huawei
Step Six: CHAP Authentication
Primary authenticator configuration
[R5]aaa
[R5-aaa]local-user huawei password cipher huawei
[R5-aaa]local-user huawei service-type ppp
[R5]interface s4/0/0
[R5-Serial4/0/0]ppp authentication-mode chap
Authenticated party configuration
[R2]interface s4/0/0
[R2-Serial4/0/0]ppp chap user huawei
[R2-Serial4/0/0]ppp chap password cipher huawei
Step 7: HDLC packaging
[R3]inter s4/0/0
[R3-Serial4/0/0]link-protocol hdlc
[R5]interface s3/0/0
[R5-Serial3/0/0]link-protocol hdlc
Step 8: R1R2R3 builds MGRE environment
R1 configuration
[R1]interface Tunnel 0/0/0
[R1-Tunnel0/0/0]ip address 10.1.1.1 24
[R1-Tunnel0/0/0]tunnel-protocol gre p2mp
[R1-Tunnel0/0/0]source 15.1.1.1
[R1-Tunnel0/0/0]nhrp network-id 100
R2 configuration
[R2]interface Tunnel 0/0/0
[R2-Tunnel0/0/0]ip address 10.1.1.2 24
[R2-Tunnel0/0/0]tunnel-protocol gre p2mp
[R2-Tunnel0/0/0]source s4/0/0
[R2-Tunnel0/0/0]nhrp entry 10.1.1.1 15.1.1.1 register
[R2-Tunnel0/0/0]nhrp network-id 100
R3 configuration
[R3]interface Tunnel 0/0/0
[R3-Tunnel0/0/0]ip address 10.1.1.3 24
[R3-Tunnel0/0/0]tunnel-protocol gre p2mp
[R3-Tunnel0/0/0]source s4/0/0
[R3-Tunnel0/0/0]nhrp network-id 100
[R3-Tunnel0/0/0]nhrp entry 10.1.1.1 15.1.1.1 register
Step 9: Configure GRE on R1R4
R1 configuration
[R1]interface Tunnel 0/0/1
[R1-Tunnel0/0/1]ip address 20.1.1.1 24
[R1-Tunnel0/0/1]tunnel-protocol gre
[R1-Tunnel0/0/1]source 15.1.1.1
[R1-Tunnel0/0/1]destination 45.1.1.4
R4 configuration
[R4]interface Tunnel 0/0/1
[R4-Tunnel0/0/1]ip address 20.1.1.2 24
[R4-Tunnel0/0/1]tunnel-protocol gre
[R4-Tunnel0/0/1]source 45.1.1.4
[R4-Tunnel0/0/1]destination 15.1.1.1
Step 10: Write RIP routes
RIP routing configuration in MGRE environment
R1 configuration
[R1]rip 1
[R1-rip-1]version 2
[R1-rip-1]network 192.168.1.0
[R1-rip-1]network 10.0.0.0
Note: In MGRE environment, RIP needs to enable pseudo broadcast and disable split horizon.
[R1]interface Tunnel 0/0/0
[R1-Tunnel0/0/0]nhrp entry multicast dynamic //Enable pseudo broadcast
[R1-Tunnel0/0/0]undo rip split-horizon //Turn off horizontal splitting
R2 configuration
[R2]rip 1
[R2-rip-1]version 2
[R2-rip-1]network 192.168.2.0
[R2-rip-1]network 10.0.0.0
R3 configuration
[R3]rip 1
[R3-rip-1]version 2
[R3-rip-1]network 192.168.3.0
[R3-rip-1]network 10.0.0.0
Configuration in GRE environment
R1 configuration
[R1]rip 1
[R1-rip-1]version 2
[R1-rip-1]network 20.0.0.0
R4 configuration
[R4]rip 1
[R4-rip-1]version 2
[R4-rip-1]network 20.0.0.0
[R4-rip-1]network 192.168.4.0