CLI Example: Configuring Dual Hubs in Active/Standby Mode
Networking Requirements
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The networks of the central office and branches frequently change. The Spokes use dynamic addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master device and Hub2 functions as the backup device. Hub2 takes over the services and forwards protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.
Configuration Roadmap
Because a Spoke uses a dynamic address to connect to the public network, it does not know the public IP address of the other Spoke. DSVPN is implemented to establish a VPN between the Spokes.
Shortcut Scenario of DSVPN is implemented because the enterprise has a large number of branches.
The networks of the central office and branches frequently change. OSPF is deployed to realize communication between the Hub and Spokes and to simplify maintenance.
Dual-Hub DSVPN is implemented to provide redundant backup by using Hub2.
Procedure
- Assign an IP address to each interface.
Configure IP addresses for the interfaces of each FW.
# Configure IP addresses for interfaces of Hub1.
<sysname> system-view [sysname] sysname Hub1 [Hub1] interface GigabitEthernet 0/0/0 [Hub1-GigabitEthernet0/0/0] ip address 1.1.1.10 255.255.255.0 [Hub1-GigabitEthernet0/0/0] quit [Hub1] interface tunnel 0 [Hub1-Tunnel0] ip address 172.16.1.1 255.255.255.0 [Hub1-Tunnel0] quit [Hub1] interface loopback 0 [Hub1-LoopBack0] ip address 192.168.0.1 255.255.255.0 [Hub1-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1, Spoke2 and Hub2 as shown in Figure 1. The specific configuration is not mentioned here.
- Configure security zones and security policies.
# Configure security zones on each device. The configuration commands are the same, and the Hub1 is used as an example.
[Hub1] firewall zone untrust [Hub1-zone-untrust] add interface GigabitEthernet 0/0/0 [Hub1-zone-untrust] add interface tunnel 0 [Hub1-zone-untrust] quit# Configure security policies on each device. The configuration commands are the same, and the Hub is used as an example.
In this example, loopback interfaces in the Local zone are used to simulate subnet users. Therefore, the interzone policy between the Local zone and security zone where the tunnel interface resides needs to be configured (in this example, policy rule1 is configured). Actually, the interzone policy between the security zones where subnets reside needs to be configured. For example, if the subnet of the enterprise resides in the Trust zone, configure the interzone policy between the Trust zone and security zone where the tunnel interface resides.
[Hu1b] security-policy [Hub1-policy-security] rule name rule1 [Hub1-policy-security-rule-rule1] source-zone untrust local [Hub1-policy-security-rule-rule1] destination-zone untrust local [Hub1-policy-security-rule-rule1] sourse-address 192.168.0.0 mask 255.255.0.0 [Hub1-policy-security-rule-rule1] action permit [Hub1-policy-security-rule-rule1] quit [Hub1-policy-security] rule name rule2 [Hub1-policy-security-rule-rule2] source-zone untrust local [Hub1-policy-security-rule-rule2] destination-zone untrust local [Hub1-policy-security-rule-rule2] service gre ospf [Hub1-policy-security-rule-rule2] action permit [Hub1-policy-security-rule-rule2] quit [Hub1-policy-security] quit
- Configure routes between the FWs.
Configure OSPF on each FW to provide reachable routes to the public network.
# Configure OSPF on Hub1.
[Hub1] ospf 2 router-id 1.1.1.10 [Hub1-ospf-2] area 0.0.0.1 [Hub1-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255 [Hub1-ospf-2-area-0.0.0.1] quit [Hub1-ospf-2] quit
# Configure OSPF on Hub2.
[Hub2] ospf 2 router-id 1.1.254.10 [Hub2-ospf-2] area 0.0.0.1 [Hub2-ospf-2-area-0.0.0.1] network 1.1.254.0 0.0.0.255 [Hub2-ospf-2-area-0.0.0.1] quit [Hub2-ospf-2] quit
# Configure OSPF on Spoke1.
[Spoke1] ospf 2 router-id 1.1.2.10 [Spoke1-ospf-2] area 0.0.0.1 [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255 [Spoke1-ospf-2-area-0.0.0.1] quit [Spoke1-ospf-2] quit
# Configure OSPF on Spoke2.
[Spoke2] ospf 2 router-id 1.1.3.10 [Spoke2-ospf-2] area 0.0.0.1 [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255 [Spoke2-ospf-2-area-0.0.0.1] quit [Spoke2-ospf-2] quit
- Configure basic OSPF functions.
# Configure Hub1.
[Hub1] ospf 1 router-id 172.16.1.1 [Hub1-ospf-1] area 0.0.0.0 [Hub1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub1-ospf-1-area-0.0.0.0] quit [Hub1-ospf-1] quit
# Configure the basic OSPF functions on Hub2.
[Hub2] ospf 1 router-id 172.16.1.254 [Hub2-ospf-1] area 0.0.0.0 [Hub2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2 [Spoke1-ospf-1] area 0.0.0.0 [Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] quit [Spoke1-ospf-1] quit
# Configure Spoke2.
[Spoke2] ospf 1 router-id 172.16.1.3 [Spoke2-ospf-1] area 0.0.0.0 [Spoke2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit
- Configure tunnel interfaces.
Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hubs and Spokes. Enable the NHRP redirect function on Hub1 and Hub2. Configure NHRP mapping entries of Hubs and enable the NHRP shortcut function on Spoke1 and Spoke2.
# Configure a tunnel interface and OSPF on Hub1 and enable the NHRP redirect function.[Hub1] interface tunnel 0 [Hub1-Tunnel0] tunnel-protocol gre p2mp [Hub1-Tunnel0] source GigabitEthernet 0/0/0 [Hub1-Tunnel0] nhrp entry multicast dynamic [Hub1-Tunnel0] ospf network-type p2mp [Hub1-Tunnel0] ospf cost 1000 [Hub1-Tunnel0] nhrp redirect [Hub1-Tunnel0] quit# Configure a tunnel interface and OSPF on Hub2 and enable the NHRP redirect function.[Hub2] interface tunnel 0 [Hub2-Tunnel0] tunnel-protocol gre p2mp [Hub2-Tunnel0] source GigabitEthernet 0/0/0 [Hub2-Tunnel0] nhrp entry multicast dynamic [Hub2-Tunnel0] ospf network-type p2mp [Hub2-Tunnel0] ospf cost 3000 [Hub2-Tunnel0] nhrp redirect [Hub2-Tunnel0] quit# Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on Spoke1, and enable the NHRP shortcut function.[Spoke1] interface tunnel 0 [Spoke1-Tunnel0] tunnel-protocol gre p2mp [Spoke1-Tunnel0] source GigabitEthernet 0/0/0 [Spoke1-Tunnel0] nhrp entry 172.16.1.1 1.1.1.10 register [Spoke1-Tunnel0] nhrp entry 172.16.1.254 1.1.254.10 register [Spoke1-Tunnel0] ospf network-type p2mp [Spoke1-Tunnel0] nhrp shortcut [Spoke1-Tunnel0] nhrp registration interval 300 [Spoke1-Tunnel0] quit# Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on Spoke2, and enable the NHRP shortcut function.[Spoke2] interface tunnel 0 [Spoke2-Tunnel0] tunnel-protocol gre p2mp [Spoke2-Tunnel0] source GigabitEthernet 0/0/0 [Spoke2-Tunnel0] nhrp entry 172.16.1.1 1.1.1.10 register [Spoke2-Tunnel0] nhrp entry 172.16.1.254 1.1.254.10 register [Spoke2-Tunnel0] ospf network-type p2mp [Spoke2-Tunnel0] nhrp shortcut [Spoke2-Tunnel0] nhrp registration interval 300 [Spoke2-Tunnel0] quit
Configure different OSPF cost values on Hub1 and Hub2 to ensure that the Spokes prefer Hub1 as the next hop device.
When Hub1 recovers, it restarts to forward OSPF protocol packets when receiving NHRP Registration Request packets from Spokes. The Spokes learn routes to Hub1 after the routes they have already learned are aged out. Set the interval for sending NHRP Registration Request packets to a proper value to ensure that the Spokes can quick detect Hub1 recovery. The interval is set to 1800 seconds by default.
- Verify the configuration.
After the preceding configurations are complete, check the NHRP mapping entries of Spoke and Hub. Take Spoke1 as an example.
# Run the display nhrp peer all command on Spoke1.
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 05:35:50 Expire time : -- HostName : Hub1 HostEsn : 210235G7G610F1000013 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.254 32 1.1.254.10 172.16.1.254 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 04:32:49 Expire time : -- HostName : Hub2 HostEsn : 210235G7G610FB000023 Number of nhrp peers: 2
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the static NHRP mapping entry of Hub.
- Run the ping command and check the configuration result.
To use the ping command for link detection, run the service-manage ping permit command in the interface view to set the ping service of all firewall interfaces on the link to permit.
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke. Take Spoke1 as an example.
[Spoke1] ping -a 192.168.1.1 192.168.2.1 PING 192.168.2.1: 56 data bytes, press CTRL_C to break Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 192.168.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms# Run the display nhrp peer all command on Spoke1.
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 05:42:50 Expire time : -- HostName : Hub1 HostEsn : 210235G7G610F1000013 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.254 32 1.1.254.10 172.16.1.254 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 04:39:49 Expire time : -- HostName : Hub2 HostEsn : 210235G7G610FB000023 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.2.1 32 1.1.3.10 172.16.1.3 remote-network up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:19 Expire time : 01:59:41 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 1.1.3.10 172.16.1.3 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:19 Expire time : 01:59:41 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.1.1 32 1.1.2.10 172.16.1.2 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:19 Expire time : 01:59:41 HostName : Spoke1 HostEsn : 210235G7G410F1000003 Number of nhrp peers: 5
- Shutdown the physical interface GigabitEthernet 0/0/0 of Hub1.
# Run the shutdown command on GigabitEthernet 0/0/0 of Hub1.
[Hub1] interface GigabitEthernet 0/0/0 [Hub1-GigabitEthernet0/0/0] shutdown [Hub1-GigabitEthernet0/0/0] quit
- Run the ping command and check the configuration result.
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.
Before you run the ping command, ensure that no default route to Hub1 exists on the local device.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1.
[Spoke1] ping -a 192.168.1.1 192.168.2.1 PING 192.168.2.1: 56 data bytes, press CTRL_C to break Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 192.168.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms# Run the display nhrp peer all command on Spoke. Take Spoke1 as an example.
[Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 1.1.1.10 172.16.1.1 hub down ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 05:46:29 Expire time : -- HostName : Hub1 HostEsn : 210235G7G610F1000013 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.254 32 1.1.254.10 172.16.1.254 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 04:43:28 Expire time : -- HostName : Hub2 HostEsn : 210235G7G610FB000023 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.2.1 32 1.1.3.10 172.16.1.3 remote-network up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:22 Expire time : 01:59:38 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 1.1.3.10 172.16.1.3 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:22 Expire time : 01:59:38 HostName : Spoke2 HostEsn : 210235G7G610F3000017 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 192.168.1.1 32 1.1.2.10 172.16.1.2 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:22 Expire time : 01:59:38 HostName : Spoke1 HostEsn : 210235G7G410F1000003 Number of nhrp peers: 5
Run the undo nhrp peer command to clear the NHRP mapping entries existing on the Spokes before running the ping command.
Configuration Files
-
# sysname Hub1 # interface GigabitEthernet0/0/0 ip address 1.1.1.10 255.255.255.0 # interface LoopBack0 ip address 192.168.0.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf cost 1000 ospf network-type p2mp nhrp redirect nhrp entry multicast dynamic # ospf 1 router-id 172.16.1.1 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.0.0 0.0.0.255 # ospf 2 router-id 1.1.1.10 area 0.0.0.1 network 1.1.1.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return
-
# sysname Hub2 # interface GigabitEthernet0/0/0 ip address 1.1.254.10 255.255.255.0 # interface LoopBack0 ip address 192.168.0.2 255.255.255.0 # interface Tunnel0 ip address 172.16.1.254 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf cost 3000 ospf network-type p2mp nhrp redirect nhrp entry multicast dynamic # ospf 1 router-id 172.16.1.254 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.0.0 0.0.0.255 # ospf 2 router-id 1.1.254.10 area 0.0.0.1 network 1.1.254.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return
-
# sysname Spoke1 # interface GigabitEthernet0/0/0 ip address 1.1.2.10 255.255.255.0 # interface LoopBack0 ip address 192.168.1.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf network-type p2mp nhrp shortcut nhrp registration interval 300 nhrp entry 172.16.1.254 1.1.254.10 register nhrp entry 172.16.1.1 1.1.1.10 register # ospf 1 router-id 172.16.1.2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # ospf 2 router-id 1.1.2.10 area 0.0.0.1 network 1.1.2.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return
-
# sysname Spoke2 # interface GigabitEthernet0/0/0 ip address 1.1.3.10 255.255.255.0 # interface LoopBack0 ip address 192.168.2.1 255.255.255.0 # interface Tunnel0 ip address 172.16.1.3 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet0/0/0 ospf network-type p2mp nhrp shortcut nhrp registration interval 300 nhrp entry 172.16.1.254 1.1.254.10 register nhrp entry 172.16.1.1 1.1.1.10 register # ospf 1 router-id 172.16.1.3 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # ospf 2 router-id 1.1.3.10 area 0.0.0.1 network 1.1.3.0 0.0.0.255 # firewall zone untrust add interface GigabitEthernet0/0/0 add interface Tunnel0 # security-policy rule name rule1 source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit rule name rule2 source-zone local source-zone untrust destination-zone local destination-zone untrust service gre service ospf action permit # return