DMVPN EIGRP 路由不通过

网络工程 acl eigrp
2022-02-13 00:52:36

我最近创建的 DMVPN 隧道有问题。我对此进行了一些故障排除,并发现两个站点之间的隧道已开通,但它们之间没有传递任何流量。为了创建这个隧道,我使用了一个工作隧道中的代码,并根据这个新隧道的需要进行了修改。在我的研究中,我没有找到类似于我的路由器上配置的配置示例。我觉得问题出在 EIGRP 或访问列表上

这是辐条路由器(运行 15.4 的 Cisco 1921)的配置,它没有通过隧道传递流量,互联网工作。

interface Tunnel0
 bandwidth 10000
 ip unnumbered GigabitEthernet0/1
 tunnel source Cellular0/0/0
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN

router eigrp 1
 network 192.168.154.0
 passive-interface default
 no passive-interface Tunnel0

以下是未通过流量的分支路由器上显示命令 EIGRP 邻居和 ip 访问列表的结果

PatonBMCXRou#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
PatonBMCXRou#show ip access-list
Extended IP access list Internet-IN
    10 permit udp any any eq non500-isakmp
    20 permit udp any any eq isakmp (3 matches)
    30 permit esp any any
Extended IP access list InternetIn
Extended IP access list NAT
    10 deny ip 192.168.148.0 0.0.2.255 192.168.154.0 0.0.0.255
    20 deny ip 192.168.152.0 0.0.7.255 192.168.154.0 0.0.0.255
    30 permit ip 192.168.154.0 0.0.0.255 any (11004 matches)
Extended IP access list VPDNSplitTunnel
    10 permit ip 192.168.148.0 0.0.2.255 192.168.154.0 0.0.0.255
    20 permit ip 192.168.152.0 0.0.7.255 192.168.154.0 0.0.0.255
Extended IP access list acl-nat
Extended IP access list acl-static-nat

这是辐条路由器上的配置(运行 15.2 的 Cisco 3925) 亚瑟港隧道工作,我可以通过它传递流量。BMCX 1,隧道已开通,但我不能

interface Tunnel2
 description BMCX
 bandwidth 5000
 no ip address
 delay 100
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN
!
interface Tunnel4
 description Port Arthur
 bandwidth 10000
 ip unnumbered Vlan1
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN

以下是集线器路由器上显示命令 EIGRP 邻居和 ip access-lists 的结果

HouCoreRou#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.31.254.246          Tu0                      11 1d21h      51   582  0  6335
1   172.31.254.251          Tu1                      10 2d00h      80   582  0  12169
2   192.168.153.1           Tu4                      11 6d02h      17   102  0  260
HouCoreRou#show ip access-list
Standard IP access list 10
    10 permit any
Standard IP access list Management
    10 permit (IP Removed), wildcard bits 0.0.0.3
    20 permit 192.168.148.0, wildcard bits 0.0.3.255
    30 permit 192.168.153.0, wildcard bits 0.0.0.255
    40 permit 10.0.8.0, wildcard bits 0.0.3.255
    50 permit 10.0.44.0, wildcard bits 0.0.3.255
    60 permit 192.168.150.0, wildcard bits 0.0.0.255
Extended IP access list InternetIn
    200 permit icmp any any (1143766 matches)
    210 permit udp any any eq non500-isakmp
    220 permit udp any any eq isakmp

Extended IP access list NAT
    10 deny ip 192.168.146.0 0.0.4.255 10.0.12.0 0.0.1.255
    20 deny ip 192.168.146.0 0.0.4.255 10.0.40.0 0.0.3.255
    30 deny ip 192.168.146.0 0.0.4.255 10.0.44.0 0.0.3.255
    40 deny ip 10.0.8.0 0.0.3.255 192.168.146.0 0.0.4.255
    50 deny ip 10.0.8.0 0.0.3.255 10.0.8.0 0.0.3.255
    60 deny ip 10.0.8.0 0.0.3.255 10.0.12.0 0.0.1.255
    70 deny ip 10.0.8.0 0.0.3.255 10.0.40.0 0.0.3.255
    80 deny ip 10.0.8.0 0.0.3.255 10.0.44.0 0.0.3.255
    90 deny ip 10.0.12.0 0.0.1.255 192.168.146.0 0.0.4.255
    100 deny ip 10.0.12.0 0.0.1.255 10.0.8.0 0.0.3.255
    110 deny ip 10.0.12.0 0.0.1.255 10.0.12.0 0.0.1.255
    120 deny ip 10.0.12.0 0.0.1.255 10.0.40.0 0.0.3.255
    130 deny ip 10.0.12.0 0.0.1.255 10.0.44.0 0.0.3.255
    140 deny ip 10.0.40.0 0.0.3.255 192.168.146.0 0.0.4.255
    150 deny ip 10.0.40.0 0.0.3.255 10.0.8.0 0.0.3.255
    160 deny ip 10.0.40.0 0.0.3.255 10.0.12.0 0.0.1.255
    170 deny ip 10.0.40.0 0.0.3.255 10.0.40.0 0.0.3.255
    180 deny ip 10.0.40.0 0.0.3.255 10.0.44.0 0.0.3.255
    190 deny ip 10.0.44.0 0.0.3.255 192.168.146.0 0.0.4.255
    200 deny ip 10.0.44.0 0.0.3.255 10.0.8.0 0.0.3.255
    210 deny ip 10.0.44.0 0.0.3.255 10.0.12.0 0.0.1.255
    220 deny ip 10.0.44.0 0.0.3.255 10.0.40.0 0.0.3.255
    230 deny ip 10.0.44.0 0.0.3.255 10.0.44.0 0.0.3.255
    240 permit ip 192.168.150.0 0.0.1.255 any (20325248 matches)
    250 permit ip 192.168.152.0 0.0.1.255 any
    260 permit ip 192.168.153.0 0.0.0.255 any
    270 permit ip 10.0.8.0 0.0.3.255 any (7381154 matches)
    280 permit ip 10.0.12.0 0.0.1.255 any (430120 matches)
    290 permit ip 10.0.40.0 0.0.3.255 any (672384 matches)
    300 permit ip 10.0.44.0 0.0.3.255 any (2 matches)
    310 deny ip 192.168.146.0 0.0.4.255 192.168.146.0 0.0.4.255
    320 deny ip 192.168.146.0 0.0.4.255 10.0.8.0 0.0.3.255

Extended IP access list VPDNSplitTunnel
    10 permit ip 192.168.150.0 0.0.1.255 192.168.150.0 0.0.1.255
    20 permit ip 192.168.150.0 0.0.1.255 192.168.152.0 0.0.0.255
    30 permit ip 192.168.152.0 0.0.0.255 192.168.150.0 0.0.1.255
    40 permit ip 192.168.152.0 0.0.0.255 192.168.152.0 0.0.0.255
Extended IP access list acl-nat
    10 permit ip object-group og-rfc1918 any
    20 permit ip any object-group og-rfc1918
    30 deny ip object-group og-rfc1918 object-group og-rfc1918
Extended IP access list acl-static-nat
    10 permit ip object-group og-rfc1918 any (12138 matches)
    20 permit ip any object-group og-rfc1918
    30 deny ip object-group og-rfc1918 object-group og-rfc1918

这是通过隧道传递流量的分支路由器(运行 15.1 的 Cisco 1921)的配置。这是我为不起作用的辐条获取代码的地方

interface Tunnel0
 bandwidth 10000
 ip unnumbered GigabitEthernet0/0
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination (IP Removed)
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Mesh-VPN

router eigrp 1
 network 192.168.153.0
 passive-interface default
 no passive-interface Tunnel0
 no passive-interface Tunnel1

以下是正在传递流量的分支路由器上显示命令 EIGRP 邻居和 ip 访问列表的结果

PAFiberRou#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.150.1           Tu0               14 6d02h      17   200  0  867
PAFiberRou#show ip access-list
Standard IP access list Management
    10 permit (IP Removed), wildcard bits 0.0.0.3
    20 permit 192.168.150.0, wildcard bits 0.0.0.255 (10 matches)
    30 permit 192.168.153.0, wildcard bits 0.0.0.255
Extended IP access list InternetIn
    10 permit tcp any any eq 22 (38338 matches)
    20 permit udp any any eq isakmp (2885 matches)
    30 permit udp any any eq non500-isakmp (45565572 matches)
    40 permit esp any any (373917919 matches)
Extended IP access list NAT
    10 deny ip 192.168.150.0 0.0.1.255 192.168.153.0 0.0.0.255 (26 matches)
    20 deny ip 192.168.152.0 0.0.7.255 192.168.153.0 0.0.0.255 (2440069 matches)
    30 permit ip 192.168.153.0 0.0.0.255 any (5027871 matches)
Extended IP access list VPDNSplitTunnel
    10 permit ip 192.168.150.0 0.0.1.255 192.168.153.0 0.0.0.255
    20 permit ip 192.168.152.0 0.0.7.255 192.168.153.0 0.0.0.255
1个回答

答案是

IP unnumbered vlan1

在枢纽的隧道 2 上

其它你可能感兴趣的问题
上一篇思科无线访客用户管理 下一篇Vyatta 静态路由未正确路由到下一跳