在安全防火墙上使用动态路由协议配置DVTI |
您所在的位置:网站首页 › 思科3750策略路由 › 在安全防火墙上使用动态路由协议配置DVTI |
|
简介
本文档介绍如何在Secure Firewall 9.20上配置动态虚拟隧道接口(DVTI)。 先决条件 拥有一个带ASA 9.20或更高版本的思科安全防火墙,该防火墙具有基本路由配置和IKEV2支持,可作为中心路由器,具有一个环回接口来模拟本地192.168.9.0/24网络。 拥有一个带ASA 9.20或更高版本及基本路由配置和IKEv2支持的思科安全防火墙,以作为分支–1运行,其中预配置了一个环回接口来模拟远程网络192.168.7.0/24。 要求 本文档中介绍的所有动态路由协议(OSPF、EIGRP和BGP)的一般知识。 熟悉思科安全防火墙设备上的CLI配置。 使用的组件本文档中的信息基于以下软件版本: 带ASA 9.20或更高版本的思科安全防火墙。注意:本文档中的信息是从特定实验环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。 背景信息 动态虚拟隧道接口动态虚拟隧道接口(DVTI)可为远程访问虚拟专用网络(VPN)提供高度安全且可扩展的连接。 DVTI可用于集中星型配置。隧道为每个VPN会话提供按需独立虚拟访问接口。 1.分支发起与中心的IKE交换请求,以进行VPN连接。 2.中心对分支进行身份验证。 3.思科安全防火墙管理中心在中心上分配动态虚拟模板。 4.虚拟模板在集线器上动态生成虚拟访问接口。此接口对于每个分支的VPN会话是唯一的。 5.中心与使用虚拟访问接口的分支建立动态VTI隧道。 6.中心和分支使用动态路由协议(BGP/OSPF/EIGRP)或受保护网络功能(多安全关联VTI)通过隧道交换流量。 7.动态VTI的功能与任何其他接口类似,因此只要隧道处于活动状态,您就可以应用QoS、防火墙规则、路由协议和其他功能。 8.在HUB设备和多个远程/分支站点的多个静态隧道接口上创建一个DVTI。 在本文中,可以通过DVTI测试BGP、OSPF和EIGRP。 注意:思科安全防火墙在版本7.3上添加了DVTI支持,目前根据Cisco Bug ID CSCwe13781,仅支持一个DVTI。 配置 网络图 配置思科安全防火墙中心配置 配置物理隧道源接口。 interface GigabitEthernet0/0 nameif vlan2820 security-level 100 ip address 10.28.20.98 255.255.255.0配置IkEv2策略。 crypto ikev2 policy 1 encryption aes-256 aes-192 aes integrity sha512 sha384 sha256 sha group 21 20 14 prf sha256 lifetime seconds 86400配置IPSEC策略并将其附加到新的IPSEC配置文件。 crypto ipsec ikev2 ipsec-proposal VPN-LAB protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-512 sha-256 sha-1 crypto ipsec profile VPN-LAB-PROFILE set ikev2 ipsec-proposal VPN-LAB set security-association lifetime seconds 1000使用之前创建的IPSEC配置文件配置虚拟模板,并将其分配到为DVTI提供IP地址的环回接口。 注:虚拟模板用于为按需隧道配置DVTI。 interface Loopback200 nameif DVTI-LOOPBACK ip address 172.16.17.1 255.255.255.255 interface Virtual-Template1 type tunnel nameif DVTI-HUB ip unnumbered DVTI-LOOPBACK tunnel source interface vlan2820 tunnel mode ipsec ipv4 tunnel protection ipsec profile FMC_IPSEC_PROFILE_2创建辅助环回接口以模拟来自集线器后OnPREM网络的流量。 注意:如果集线器后面有本地流量,请跳过此步骤。 interface Loopback100 nameif ON-PREM ip address 192.168.9.1 255.255.255.255配置隧道组。 注意:命令路由集接口将DVTI IP地址作为静态IP地址发送到对等设备。 tunnel-group 10.28.20.100 type ipsec-l2l tunnel-group 10.28.20.100 ipsec-attributes virtual-template 1 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ikev2 route set interface在构建隧道的接口上启用IKEv2。 crypto ikev2 enable vlan2820思科安全防火墙分支配置 配置物理隧道源接口。 interface GigabitEthernet0/0 nameif vlan2820 security-level 100 ip address 10.28.20.100 255.255.255.0配置IKEv2策略。 crypto ikev2 policy 1 encryption aes-256 aes-192 aes integrity sha512 sha384 sha256 sha group 21 20 14 prf sha256 lifetime seconds 86400配置IPSEC策略并将其附加到新的IPSEC配置文件。 crypto ipsec ikev2 ipsec-proposal VPN-LAB protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-512 sha-256 sha-1 crypto ipsec profile VPN-LAB-PROFILE set ikev2 ipsec-proposal VPN-LAB set security-association lifetime seconds 1000使用之前创建的IPSEC配置文件配置静态虚拟隧道接口,并将其分配给提供未编号IP地址的环回接口。 interface Loopback200 nameif VTI-LOOPBACK ip address 172.16.17.2 255.255.255.255 interface Tunnel2 nameif SVTI-SPOKE-3 ip unnumbered VTI-LOOPBACK tunnel source interface vlan2820 tunnel destination 10.28.20.98 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPN-LAB-PROFILE创建辅助环回接口以模拟来自分支后LAN-REMOTE-1网络的流量。 interface Loopback100 nameif LAN-REMOTE-1 ip address 192.168.7.1 255.255.255.255配置隧道组。 注意:命令路由集接口将SVTI IP地址作为静态IP地址发送到对等设备。 tunnel-group 10.28.20.98 type ipsec-l2l tunnel-group 10.28.20.98 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ikev2 route set interface在可以建立隧道的接口上启用IKEv2。 crypto ikev2 enable vlan2820 配置 OSPF中心配置 注意:Redistribute connected subnets命令用于通过OSPF将OnPREM网络通告到分支。根据设计,重分发可以不同。 router ospf 1 router-id 172.16.17.1 network 172.16.17.0 255.255.255.0 area 0 log-adj-changes redistribute connected subnets分支配置 router ospf 1 router-id 172.16.17.2 network 172.16.17.0 255.255.255.0 area 0 log-adj-changes redistribute connected subnets 检验OSPF集线器验证 ASAV2-hub# show ospf Routing Process "ospf 1" with ID 172.16.17.1 Start time: 4d23h, Time elapsed: 3d04h Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Event-log enabled, Maximum number of events: 1000, Mode: cyclic It is an autonomous system boundary router Redistributing External Routes from, connected, includes subnets in redistribution Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 5. Checksum Sum 0x39716 Number of opaque AS LSA 0. Checksum Sum 0x0 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 IETF NSF helper support enabled Cisco NSF helper support enabled Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 3 (1 loopback) Area has no authentication SPF algorithm last executed 2d04h ago SPF algorithm executed 10 times Area ranges are Number of LSA 2. Checksum Sum 0x1c99f Number of opaque link LSA 0. Checksum Sum 0x0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 ASAV2-hub# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.16.17.2 0 FULL/ - 0:00:39 172.16.17.2 DVTI-HUB_va11集线器上的路由表现在通过OSPF显示LAN-REMOTE-1网络。 ASAV2-hub# show route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route SI - Static InterVRF, BI - BGP InterVRF Gateway of last resort is 10.28.20.101 to network 0.0.0.0 O E2 192.168.7.0 255.255.255.255 [110/20] via 172.16.17.2, 2d04h, DVTI-HUB_va11分支验证 ASAv-spoke-2# show ospf Routing Process "ospf 1" with ID 172.16.17.2 Start time: 3w3d, Time elapsed: 3d04h Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Event-log enabled, Maximum number of events: 1000, Mode: cyclic It is an autonomous system boundary router Redistributing External Routes from, connected, includes subnets in redistribution Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 4. Checksum Sum 0x37bc8 Number of opaque AS LSA 0. Checksum Sum 0x0 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 IETF NSF helper support enabled Cisco NSF helper support enabled Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 2 (1 loopback) Area has no authentication SPF algorithm last executed 2d04h ago SPF algorithm executed 1 times Area ranges are Number of LSA 2. Checksum Sum 0x1fe9a Number of opaque link LSA 0. Checksum Sum 0x0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 ASAv-spoke-2# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.16.17.1 0 FULL/ - 0:00:34 172.16.17.1 SVTI-SPOKE-3分支上的路由表现在显示通过OSPF的OnPREM网络。 ASAv-spoke-2# show route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route SI - Static InterVRF, BI - BGP InterVRF Gateway of last resort is 10.28.20.101 to network 0.0.0.0 O E2 192.168.9.1 255.255.255.255 [110/20] via 172.16.17.1, 2d04h, SVTI-SPOKE-3现在,分支LAN-REMOTE-1可以访问OnPREM。 ASAv-spoke-2# ping LAN-REMOTE-1 192.168.9.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.9.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASAv-spoke-2# show crypto ipsec sa peer 10.28.20.98 | i cap|iden|spi local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: 4BC1FF2C current inbound spi : FB455CB8 spi: 0xFB455CB8 (4215626936) spi: 0x4BC1FF2C (1271004972)现在,集线器OnPREM能够到达LAN-REMOTE-1。 ASAV2-hub# ping ON-PREM 192.168.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.7.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASAV2-hub# show crypto ipsec sa peer 10.28.20.100 peer address: 10.28.20.100 interface: DVTI-HUB_va12 Crypto map tag: DVTI-HUB_vtemplate_dyn_map, seq num: 1, local addr: 10.28.20.98 Protected vrf (ivrf): Global local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 10.28.20.100 #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.28.20.98/500, remote crypto endpt.: 10.28.20.100/500 path mtu 1500, ipsec overhead 94(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled 配置 EIGRP中心配置: ASAV2-hub# sh run router router eigrp 10 network 172.16.17.0 255.255.255.0 redistribute connected辐条配置: ASAv-spoke-2# sh run router router eigrp 10 network 172.16.17.0 255.255.255.0 redistribute connected现在,分支LAN-REMOTE-1可以访问OnPREM。 ASAv-spoke-2# ping LAN-REMOTE-1 192.168.9.1 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.9.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/10 ms ASAv-spoke-2# show crypto ipsec sa peer 10.28.20.98 | i cap|iden|spi local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) #pkts encaps: 102, #pkts encrypt: 102, #pkts digest: 102 #pkts decaps: 102, #pkts decrypt: 102, #pkts verify: 102 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: 3EED404C current inbound spi : 646D2C0C spi: 0x646D2C0C (1684876300) spi: 0x3EED404C (1055735884)现在,集线器OnPREM能够到达LAN-REMOTE-1。 ASAV2-hub# ping ON-PREM 192.168.7.1 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.7.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/10 ms ASAV2-hub# show crypto ipsec sa peer 10.28.20.100 | i cap|iden|spi local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) #pkts encaps: 208, #pkts encrypt: 208, #pkts digest: 208 #pkts decaps: 208, #pkts decrypt: 208, #pkts verify: 208 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: 646D2C0C current inbound spi : 3EED404C spi: 0x3EED404C (1055735884) spi: 0x646D2C0C (1684876300) 检验EIGRP集线器验证: ASAV2-hub# show eigrp neighbors EIGRP-IPv4 Neighbors for AS(10) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 172.16.17.2 DVTI-HUB_va12 12 00:02:01 8 200 0 4集线器上的路由表现在通过EIGRP显示LAN-REMOTE-1网络。 ASAV2-hub# show route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route SI - Static InterVRF, BI - BGP InterVRF Gateway of last resort is 10.28.20.101 to network 0.0.0.0 D EX 192.168.7.1 255.255.255.255 [170/53760] via 172.16.17.2, 00:05:28, DVTI-HUB_va12分支验证: ASAv-spoke-2# show eigrp neighbors EIGRP-IPv4 Neighbors for AS(10) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 172.16.17.1 SVTI-SPOKE-3 12 00:07:05 34 204 0 3分支上的路由表现在显示通过EIGRP的OnPREM网络。 ASAv-spoke-2# show route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route SI - Static InterVRF, BI - BGP InterVRF Gateway of last resort is 10.28.20.101 to network 0.0.0.0 D EX 192.168.9.1 255.255.255.255 [170/53760] via 172.16.17.1, 00:07:43, SVTI-SPOKE-3 配置BGP注:当静态或动态VTI接口与eBGP组合时,如果使用BGP,请确保TTL跳的值大于1。 中心配置: router bgp 100 bgp log-neighbor-changes bgp bestpath compare-routerid address-family ipv4 unicast neighbor 172.16.17.2 remote-as 200 neighbor 172.16.17.2 ebgp-multihop 10 neighbor 172.16.17.2 activate redistribute connected no auto-summary no synchronization exit-address-family分支配置 router bgp 200 bgp log-neighbor-changes bgp bestpath compare-routerid address-family ipv4 unicast neighbor 172.16.17.1 remote-as 100 neighbor 172.16.17.1 ebgp-multihop 10 neighbor 172.16.17.1 activate redistribute connected no auto-summary no synchronization exit-address-family 检验BGP集线器验证: ASAV2-hub# show bgp neighbors BGP neighbor is 172.16.17.2, context single_vf, remote AS 200, external link BGP version 4, remote router ID 192.168.7.1 BGP state = Established, up for 00:05:28 Last read 00:00:01, last write 00:01:00, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is not multisession capable (disabled) Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN Capability: advertised and received Address family IPv4 Unicast: advertised and received Multisession Capability: Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 2 2 Keepalives: 6 6 Route Refresh: 0 0 Total: 9 9 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Session: 172.16.17.2 BGP table version 7, neighbor version 7/0 Output queue size : 0 Index 1 1 update-group member Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 3 3 (Consumes 240 bytes) Prefixes Total: 3 3 Implicit Withdraw: 0 0 Explicit Withdraw: 0 0 Used as bestpath: n/a 2 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- Bestpath from this peer: 2 n/a Total: 2 0 Number of NLRIs in the update sent: max 3, min 0 Address tracking is enabled, the RIB does have a route to 172.16.17.2 Connections established 1; dropped 0 Last reset never External BGP neighbor may be up to 10 hops away. Transport(tcp) path-mtu-discovery is enabled Graceful-Restart is disabled ASAV2-hub# ASAV2-hub# sh run router router bgp 100 bgp log-neighbor-changes bgp bestpath compare-routerid address-family ipv4 unicast neighbor 172.16.17.2 remote-as 200 neighbor 172.16.17.2 ebgp-multihop 10 neighbor 172.16.17.2 activate redistribute connected no auto-summary no synchronization exit-address-family ! ASAV2-hub# sh run all router router bgp 100 bgp log-neighbor-changes no bgp always-compare-med no bgp asnotation dot no bgp bestpath med bgp bestpath compare-routerid bgp default local-preference 100 no bgp deterministic-med bgp enforce-first-as bgp maxas-limit 0 bgp transport path-mtu-discovery timers bgp 60 180 0 address-family ipv4 unicast bgp scan-time 60 bgp nexthop trigger enable bgp nexthop trigger delay 5 bgp aggregate-timer 30 neighbor 172.16.17.2 remote-as 200 neighbor 172.16.17.2 ebgp-multihop 10 neighbor 172.16.17.2 activate no bgp redistribute-internal no bgp soft-reconfig-backup no bgp suppress-inactive redistribute connected distance bgp 20 200 200 no auto-summary no synchronization exit-address-family !集线器上的路由表现在通过BGP显示LAN-REMOTE-1网络。 ASAV2-hub# show route bgp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route SI - Static InterVRF, BI - BGP InterVRF Gateway of last resort is 10.28.20.101 to network 0.0.0.0 B 192.168.7.1 255.255.255.255 [20/0] via 172.16.17.2, 00:06:16分支验证: ASAv-spoke-2# show bgp neighbors BGP neighbor is 172.16.17.1, context single_vf, remote AS 100, external link BGP version 4, remote router ID 192.168.9.1 BGP state = Established, up for 00:06:59 Last read 00:00:27, last write 00:00:20, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is not multisession capable (disabled) Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN Capability: advertised and received Address family IPv4 Unicast: advertised and received Multisession Capability: Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 2 2 Keepalives: 7 8 Route Refresh: 0 0 Total: 10 11 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Session: 172.16.17.1 BGP table version 9, neighbor version 9/0 Output queue size : 0 Index 1 1 update-group member Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 3 3 (Consumes 240 bytes) Prefixes Total: 3 3 Implicit Withdraw: 0 0 Explicit Withdraw: 0 0 Used as bestpath: n/a 2 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- Bestpath from this peer: 3 n/a Total: 3 0 Number of NLRIs in the update sent: max 3, min 0 Address tracking is enabled, the RIB does have a route to 172.16.17.1 Connections established 1; dropped 0 Last reset never External BGP neighbor may be up to 10 hops away. Transport(tcp) path-mtu-discovery is enabled Graceful-Restart is disabled分支上的路由表现在通过BGP显示OnPREM网络。 ASAv-spoke-2# show route bgp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route SI - Static InterVRF, BI - BGP InterVRF Gateway of last resort is 10.28.20.101 to network 0.0.0.0 B 192.168.9.1 255.255.255.255 [20/0] via 172.16.17.1, 00:09:22 故障排除要排除OSPF故障,请使用以下调试和show命令: debug ip ospf debug ip ospf packet debug ip ospf events debug ip ospf hello debug ip ospf adj show ospf show ospf neighbor show ospf interface要排除EIGRP故障,请使用以下debugs和show命令: debug ip eigrp debug ip eigrp neighbor debug ip eigrp notifications show eigrp show eigrp show eigrp interfaces show eigrp neighbors show eigrp topology要排除BGP故障,请使用以下调试和show命令:。 debug ip bgp all debug ip bgp updates debug ip bgp events show bgp show bgp summary show bgp neighbors要对IKEv2进行故障排除,请使用以下debugs和show命令: debug crypto ikev2 protocol 255 debug crypto ikev2 platform 255 debug crypto ipsec 255 相关信息 思科技术支持和下载 |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |