CLI Example: Configuring DSVPN in Shortcut Mode (BGP + Route Injection)
Networking Requirements
A large-sized enterprise has the Hub and many Spokes (Spoke1 and Spoke2 are used as an example) that are distributed in different areas and belong to different ASs. There are many Spoke subnets (this example assume that each Spoke has one subnet), and subnets of the Hub and Spokes often change, and Spokes connect to the public network using dynamic addresses. Based on the network plan, OSPF is used in ASs and EBGP is used between ASs.
Spokes are required to communicate with each other directly.
Configuration Roadmap
The configuration roadmap is as follows:
Configure DSVPN to implement VPN interconnection between Spokes. This is because Spokes use dynamic addresses to connect to the public network and Spokes do not know public addresses of each other.
Configure route injection to reduce the route configuration of the Hub. This is because subnets of the Hub and Spokes often change and there are many subnets of Spokes.
Procedure
- Configure IP addresses for interfaces.
Configure IP addresses for interfaces on each FW.
# Configure IP addresses for interfaces on the Hub.
<sysname> system-view [sysname] sysname Hub [Hub] interface GigabitEthernet 0/0/0 [Hub-GigabitEthernet0/0/0] ip address 1.1.1.10 255.255.255.0 [Hub-GigabitEthernet0/0/0] quit [Hub] interface tunnel 0 [Hub-Tunnel0] ip address 172.16.1.1 255.255.255.0 [Hub-Tunnel0] quit [Hub] interface loopback 0 [Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0 [Hub-LoopBack0] quit
Configure IP addresses for interfaces of Spoke1 and Spoke2 according to Figure 1. The configuration is similar to that of the Hub, and is not mentioned here.
- Configure security zones and security policies.
# Configure security zones on each device. The configuration commands are the same, and the Hub is used as an example.
[Hub] firewall zone untrust [Hub-zone-untrust] add interface GigabitEthernet 0/0/0 [Hub-zone-untrust] add interface tunnel 0 [Hub-zone-untrust] quit# Configure security policies on each device. The configuration commands are the same, and the Hub is used as an example.
In this example, loopback interfaces in the Local zone are used to simulate subnet users. Therefore, the interzone policy between the Local zone and security zone where the tunnel interface resides needs to be configured (in this example, policy rule1 is configured). Actually, the interzone policy between the security zones where subnets reside needs to be configured. For example, if the subnet of the enterprise resides in the Trust zone, configure the interzone policy between the Trust zone and security zone where the tunnel interface resides.
[Hub] security-policy [Hub-policy-security] rule name rule1 [Hub-policy-security-rule-rule1] source-zone untrust local [Hub-policy-security-rule-rule1] destination-zone untrust local [Hub-policy-security-rule-rule1] sourse-address 192.168.0.0 mask 255.255.0.0 [Hub-policy-security-rule-rule1] action permit [Hub-policy-security-rule-rule1] quit [Hub-policy-security] rule name rule2 [Hub-policy-security-rule-rule2] source-zone untrust local [Hub-policy-security-rule-rule2] destination-zone untrust local [Hub-policy-security-rule-rule2] service gre ospf [Hub-policy-security-rule-rule2] action permit [Hub-policy-security-rule-rule2] quit [Hub-policy-security] quit
- Configure routes between the FWs.
Configure OSPF on each FW to provide reachable routes to the public network.
# Configure OSPF on the Hub.
[Hub] ospf 2 router-id 1.1.1.10 [Hub-ospf-2] area 0.0.0.1 [Hub-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255 [Hub-ospf-2-area-0.0.0.1] quit [Hub-ospf-2] quit
# Configure OSPF on Spoke1.
[Spoke1] ospf 2 router-id 1.1.2.10 [Spoke1-ospf-2] area 0.0.0.1 [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255 [Spoke1-ospf-2-area-0.0.0.1] quit [Spoke1-ospf-2] quit
# Configure OSPF on Spoke2.
[Spoke2] ospf 2 router-id 1.1.3.10 [Spoke2-ospf-2] area 0.0.0.1 [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255 [Spoke2-ospf-2-area-0.0.0.1] quit [Spoke2-ospf-2] quit
- Configure reachable routes in ASs.
Configure OSPF on the Hub and Spokes in different ASs to implement reachability in ASs.
# Configure the Hub.
[Hub] ospf 1 router-id 172.16.1.1 [Hub-ospf-1] area 0.0.0.0 [Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub-ospf-1-area-0.0.0.0] quit [Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2 [Spoke1-ospf-1] area 0.0.0.0 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] quit [Spoke1-ospf-1] quit
# Configure Spoke2.
[Spoke2] ospf 1 router-id 172.16.1.3 [Spoke2-ospf-1] area 0.0.0.0 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit
Here, each Spoke has one subnet. If the subnet environment changes, you only need to configure dynamic route attributes on the local device.
- Configure basic EBGP functions.
# Configure the Hub.
[Hub] bgp 100 [Hub-bgp] router-id 172.16.1.1 [Hub-bgp] import-route ospf 1 [Hub-bgp] peer 172.16.1.2 as-number 200 [Hub-bgp] peer 172.16.1.3 as-number 300 [Hub-bgp] aggregate 192.168.0.0 16 detail-suppressed [Hub-bgp] quit
During configuration of route summarization, the summarized address must exist, so the loopback interface address needs to be configured.
# Configure Spoke1.
[Spoke1] bgp 200 [Spoke1-bgp] router-id 172.16.1.2 [Spoke1-bgp] import-route ospf 1 [Spoke1-bgp] peer 172.16.1.1 as-number 100 [Spoke1-bgp] quit
# Configure Spoke2.
[Spoke2] bgp 300 [Spoke2-bgp] router-id 172.16.1.3 [Spoke2-bgp] import-route ospf 1 [Spoke2-bgp] peer 172.16.1.1 as-number 100 [Spoke2-bgp] quit
- Configure NHRP.# Configure a tunnel interface and enable NHRP redirect on the Hub.
[Hub] interface tunnel 0 [Hub-Tunnel0] tunnel-protocol gre p2mp [Hub-Tunnel0] source GigabitEthernet 0/0/0 [Hub-Tunnel0] nhrp entry multicast dynamic [Hub-Tunnel0] nhrp redirect [Hub-Tunnel0] quit# Configure a tunnel interface and a static NHRP mapping entry of the Hub, and enable NHRP shortcut on Spoke1.[Spoke1] interface tunnel 0 [Spoke1-Tunnel0] tunnel-protocol gre p2mp [Spoke1-Tunnel0] source GigabitEthernet 0/0/0 [Spoke1-Tunnel0] nhrp entry 172.16.1.1 1.1.1.10 register [Spoke1-Tunnel0] nhrp shortcut [Spoke1-Tunnel0] quit# Configure a tunnel interface and a static NHRP mapping entry of the Hub, and enable NHRP shortcut on Spoke2.[Spoke2] interface tunnel 0 [Spoke2-Tunnel0] tunnel-protocol gre p2mp [Spoke2-Tunnel0] source GigabitEthernet 0/0/0 [Spoke2-Tunnel0] nhrp entry 172.16.1.1 1.1.1.10 register [Spoke2-Tunnel0] nhrp shortcut [Spoke2-Tunnel0] quit - Configure route injection.# Enable route injection on the Hub and set the priority of the injected route to 100.
[Hub] interface tunnel 0 [Hub-Tunnel0] nhrp hub reverse-route enable [Hub-Tunnel0] nhrp hub reverse-route preference 100
# On Spoke1, configure the route that needs to be injected to the Hub.[Spoke1] interface tunnel 0 [Spoke1-Tunnel0] nhrp reverse-route 192.168.1.0 mask 24
# On Spoke2, configure the route that needs to be injected to the Hub.[Spoke2] interface tunnel 0 [Spoke2-Tunnel0] nhrp reverse-route 192.168.2.0 mask 24
- Verify the configuration.
-
# Run the display ip routing-table protocol unr command on the Hub.
[Hub] display ip routing-table protocol unr Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Public routing table : Unr Destinations : 2 Routes : 2 Unr routing table status :<Active> Destinations : 2 Routes : 2 Destination/Mask Proto Pre Cost Flags NextHop Interface 192.168.1.0/24 Unr 100 0 D 172.16.1.2 Tunnel0 192.168.2.0/24 Unr 100 0 D 172.16.1.3 Tunnel0 Unr routing table status :<Inactive> Destinations : 0 Routes : 0Subnet routes of Spoke1 and Spoke2 have been successfully injected to the Hub.
Check the DSVPN configuration.
# Run the display nhrp peer all command on Spoke1.
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:10:58 Expire time : -- HostName : Hub HostEsn : 210235G7G610F1000002 Number of nhrp peers: 1# Run the display nhrp peer all command on Spoke2.
[Spoke2] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:07:55 Expire time : -- HostName : Hub HostEsn : 210235G7G610F1000002 Number of nhrp peers: 1 If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the static NHRP mapping entry of Hub.
On the Hub, check registration information about Spoke1 and Spoke2.
# Run the display nhrp peer all command on the Hub.
[Hub] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 1.1.2.10 172.16.1.2 registered up|unique ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:02:02 Expire time : 01:57:58 HostName : Spoke1 HostEsn : 210235G7G610F1000013 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 1.1.3.10 172.16.1.3 registered up|unique ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:01:53 Expire time : 01:59:35 HostName : Spoke2 HostEsn : 210235G7G610F3000017 Number of nhrp peers: 2
Run the ping command and check the configuration result.
To use the ping command for link detection, run the service-manage ping permit command in the interface view to set the ping service of all firewall interfaces on the link to permit.
On Spoke1, ping subnet address 192.168.2.1 of Spoke2. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1.
[Spoke1] ping -a 192.168.1.1 192.168.2.1 PING 192.168.2.1: 56 data bytes, press CTRL_C to break Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 192.168.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms# Run the display nhrp peer all command on Spoke1.
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:46:35 Expire time : -- HostName : Hub HostEsn : 210235G7G610F1000002 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.2.1 32 1.1.3.10 172.16.1.3 remote-network up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 1.1.3.10 172.16.1.3 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 1.1.2.10 172.16.1.2 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 HostName : Spoke1 HostEsn : 210235G7G610F1000013 Number of nhrp peers: 4
# Run the display nhrp peer all command on Spoke2.
[Spoke2] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:43:32 Expire time : -- HostName : Hub HostEsn : 210235G7G610F1000002 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.1.1 32 1.1.2.10 172.16.1.2 remote-network up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:47 Expire time : 01:59:13 HostName : Spoke1 HostEsn : 210235G7G610F1000013 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 1.1.2.10 172.16.1.2 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:47 Expire time : 01:59:13 HostName : Spoke1 HostEsn : 210235G7G610F1000013 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 1.1.3.10 172.16.1.3 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:47 Expire time : 01:59:13 HostName : Spoke2 HostEsn : 210235G7G610F3000017 Number of nhrp peers: 4
-
Configuration Files
-
# sysname Hub # interface GigabitEthernet0/0/0 ip address 1.1.1.10 255.255.255.0 # interface LoopBack0 ip address 192.168.0.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 nhrp redirect nhrp entry multicast dynamic nhrp hub reverse-route preference 100 # bgp 100 router-id 172.16.1.1 peer 172.16.1.2 as-number 200 peer 172.16.1.3 as-number 300 # ipv4-family unicast undo synchronization aggregate 192.168.0.0 255.255.0.0 detail-suppressed import-route ospf 1 peer 172.16.1.2 enable peer 172.16.1.3 enable # ospf 1 router-id 172.16.1.1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 # ospf 2 router-id 1.1.1.10 area 0.0.0.1 network 1.1.1.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return
-
# sysname Spoke1 # interface GigabitEthernet0/0/0 ip address 1.1.2.10 255.255.255.0 # interface GigabitEthernet0/0/10 ip address 192.168.1.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 nhrp shortcut nhrp entry 172.16.1.1 1.1.1.10 register nhrp reverse-route 192.168.1.0 mask 255.255.255.0 # bgp 200 router-id 172.16.1.2 peer 172.16.1.1 as-number 100 # ipv4-family unicast undo synchronization import-route ospf 1 peer 172.16.1.1 enable # ospf 1 router-id 172.16.1.2 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # ospf 2 router-id 1.1.2.10 area 0.0.0.1 network 1.1.2.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return
-
# sysname Spoke2 # interface GigabitEthernet0/0/0 ip address 1.1.3.10 255.255.255.0 # interface GigabitEthernet0/0/10 ip address 192.168.2.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.3 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 nhrp shortcut nhrp entry 172.16.1.1 1.1.1.10 register nhrp reverse-route 192.168.2.0 mask 255.255.255.0 # bgp 300 router-id 172.16.1.3 peer 172.16.1.1 as-number 100 # ipv4-family unicast undo synchronization import-route ospf 1 peer 172.16.1.1 enable # ospf 1 router-id 172.16.1.3 area 0.0.0.0 network 192.168.2.0 0.0.0.255 # ospf 2 router-id 1.1.3.10 area 0.0.0.1 network 1.1.3.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return