【old】DMVPN EIGRP passive-interface

noteから引っ越してきた記事

この記事で疑問に思ってたことが解決したからメモ。

初期設定

・Dual-hub Dual-cloud構成
・Phase3はEIGRP

Hub

iosv-1#sh run
Building configuration…

Current configuration : 3482 bytes
!
! Last configuration change at 14:06:26 UTC Wed Aug 23 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname iosv-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel100
ip address 100.1.1.1 255.255.255.0
no ip redirects
ip nhrp network-id 100
ip nhrp redirect
ip summary-address eigrp 10 0.0.0.0 0.0.0.0
tunnel source 15.1.1.1
tunnel mode gre multipoint
!
interface GigabitEthernet0/0
ip address 187.1.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 15.1.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 19.1.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 1
network 15.1.1.1 0.0.0.0
!
!
router eigrp 100
network 187.1.1.1 0.0.0.0
!
!
router eigrp 10
network 100.0.0.0
network 100.1.1.1 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
ip prefix-list PRE seq 5 permit 0.0.0.0/0
ipv6 ioam timestamp
!
route-map DEFAULT permit 10
match ip address prefix-list PRE
!
!
!
control-plane
!
banner exec ^C


  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner incoming ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner login ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    !
    line con 0
    privilege level 15
    logging synchronous
    line aux 0
    line vty 0 4
    login
    transport input none
    !
    no scheduler allocate
    !
    end

iosv-7#sh run
Building configuration…

Current configuration : 3519 bytes
!
! Last configuration change at 14:01:39 UTC Wed Aug 23 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname iosv-7
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel200
ip address 200.1.1.7 255.255.255.0
no ip redirects
ip nhrp network-id 200
ip nhrp redirect
ip summary-address eigrp 10 0.0.0.0 0.0.0.0
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
!
interface GigabitEthernet0/0
ip address 187.1.1.7 255.255.255.0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 57.1.1.7 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 79.1.1.7 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 100
network 187.1.1.7 0.0.0.0
!
!
router eigrp 2
network 79.1.1.7 0.0.0.0
!
!
router eigrp 10
network 200.1.1.7 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
ip prefix-list PRE seq 5 permit 0.0.0.0/0
ipv6 ioam timestamp
!
route-map DEFAULT permit 10
match ip address prefix-list PRE
!
!
!
control-plane
!
banner exec ^C


  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner incoming ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner login ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    !
    line con 0
    privilege level 15
    logging synchronous
    line aux 0
    line vty 0 4
    login
    transport input none
    !
    no scheduler allocate
    !
    end
Cloud

iosv-2#sh run
Building configuration…

Current configuration : 3647 bytes
!
! Last configuration change at 14:07:30 UTC Wed Aug 23 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname iosv-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel100
ip address 100.1.1.2 255.255.255.0
no ip redirects
ip nhrp network-id 100
ip nhrp nhs 100.1.1.1 nbma 15.1.1.1 multicast
ip nhrp redirect
tunnel source 25.1.1.2
tunnel mode gre multipoint
!
interface Tunnel200
ip address 200.1.1.2 255.255.255.0
no ip redirects
ip nhrp network-id 200
ip nhrp nhs 200.1.1.7 nbma 79.1.1.7 multicast
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
!
interface GigabitEthernet0/0
ip address 25.1.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 24.1.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 29.1.1.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 1
network 25.1.1.2 0.0.0.0
!
!
router eigrp 2
network 29.1.1.2 0.0.0.0
!
!
router eigrp 10
network 100.1.1.2 0.0.0.0
network 200.1.1.2 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
route-map LOCAL_PREF permit 10
set local-preference 200
!
!
!
control-plane
!
banner exec ^C


  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner incoming ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner login ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    !
    line con 0
    privilege level 15
    logging synchronous
    line aux 0
    line vty 0 4
    login
    transport input none
    !
    no scheduler allocate
    !
    end

iosv-3#sh run
Building configuration…

Current configuration : 3647 bytes
!
! Last configuration change at 14:12:05 UTC Wed Aug 23 2023
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname iosv-3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel100
ip address 100.1.1.3 255.255.255.0
no ip redirects
ip nhrp network-id 100
ip nhrp nhs 100.1.1.1 nbma 15.1.1.1 multicast
ip nhrp redirect
tunnel source 35.1.1.3
tunnel mode gre multipoint
!
interface Tunnel200
ip address 200.1.1.3 255.255.255.0
no ip redirects
ip nhrp network-id 200
ip nhrp nhs 200.1.1.7 nbma 79.1.1.7 multicast
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
!
interface GigabitEthernet0/0
ip address 35.1.1.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 36.1.1.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 39.1.1.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 1
network 35.1.1.3 0.0.0.0
!
!
router eigrp 2
network 39.1.1.3 0.0.0.0
!
!
router eigrp 10
network 100.1.1.3 0.0.0.0
network 200.1.1.3 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
route-map LOCAL_PREF permit 10
set local-preference 200
!
!
!
control-plane
!
banner exec ^C


  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner incoming ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    banner login ^C

  • IOSv is strictly limited to use for evaluation, demonstration and IOS *
  • education. IOSv is provided as-is and is not supported by Cisco’s *
  • Technical Advisory Center. Any use or disclosure, in whole or in part, *
  • of the IOSv Software or Documentation to any third party for any *
  • purposes is expressly prohibited except as otherwise authorized by *
  • Cisco in writing. *
    ****^C
    !
    line con 0
    privilege level 15
    logging synchronous
    line aux 0
    line vty 0 4
    login
    transport input none
    !
    no scheduler allocate
    !
    end

疑問

Spokeにて自Site方向のI/FのEIGRPを起動したのになんですぐpassive-interfaceを入れるのかわからなかった。始めから入れる必要ないのでは?

iosv-1(config)#router eigrp 1
iosv-1(config-router)#net 24.1.1.0 0.0.0.255
iosv-1(config-router)#passisve-interface gi0/1

解決

A:自サイトのプレフィックスをHubに伝えたいけど、自サイトのルータにはインターネットの経路等を伝えたくないから。

検証

iosv-4#ping 36.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 36.1.1.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

iosv-1#sh ip ro | b Gate
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

D*    0.0.0.0/0 is a summary, 00:44:36, Null0
      15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        15.1.1.0/24 is directly connected, GigabitEthernet0/1
L        15.1.1.1/32 is directly connected, GigabitEthernet0/1
      18.0.0.0/32 is subnetted, 1 subnets
D        18.1.1.8 [90/130816] via 187.1.1.8, 00:47:47, GigabitEthernet0/0
      19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        19.1.1.0/24 is directly connected, GigabitEthernet0/2
L        19.1.1.1/32 is directly connected, GigabitEthernet0/2
      25.0.0.0/24 is subnetted, 1 subnets
D        25.1.1.0 [90/3072] via 15.1.1.5, 00:47:47, GigabitEthernet0/1
      35.0.0.0/24 is subnetted, 1 subnets
D        35.1.1.0 [90/3072] via 15.1.1.5, 00:47:47, GigabitEthernet0/1
      57.0.0.0/24 is subnetted, 1 subnets
D        57.1.1.0 [90/3072] via 15.1.1.5, 00:47:47, GigabitEthernet0/1
      100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.1.1.0/24 is directly connected, Tunnel100
L        100.1.1.1/32 is directly connected, Tunnel100
      187.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        187.1.1.0/24 is directly connected, GigabitEthernet0/0
L        187.1.1.1/32 is directly connected, GigabitEthernet0/0
D     200.1.1.0/24 [90/28160000] via 100.1.1.3, 00:46:58, Tunnel100
                   [90/28160000] via 100.1.1.2, 00:46:58, Tunnel100

spokeはhubからデフォルトルートが広告されているからルーティングできるけど、Hubはデフォルトルートを持ってないかつ各Siteのプレフィックスを持っていないからルーティングできない。

iosv-2(config)#router eigrp 10
iosv-2(config-router)#net 24.1.1.0 0.0.0.255

iosv-3(config)#router eigrp 10
iosv-3(config-router)#net 36.1.1.0 0.0.0.255

iosv-1#sh ip ro | b Gate
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

D*    0.0.0.0/0 is a summary, 00:46:17, Null0
      15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
<略>
      24.0.0.0/24 is subnetted, 1 subnets
D        24.1.1.0 [90/26880256] via 100.1.1.2, 00:00:10, Tunnel100
D        36.1.1.0 [90/26880256] via 100.1.1.3, 00:00:03, Tunnel100
<略>

iosv-4#ping 36.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 36.1.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/32/68 ms

各SpokeにてSite側のEIGRPを有効にすると、Hubは各Siteのプレフィックスを学習してSite間の通信ができるようになる。
ただ、このままだとSite側にもEIGRPのHelloが流れてしまい、不正なルータがインターネット側のプレフィックスを入手してしまう可能性がある。
Site側のルータ(iosv-4,6)はSpokeをデフォルトルートとしてスタティックに経路が設定されているため、不要なEIGRP Helloトラフィックは帯域の無駄かつ不正利用される恐れがあるのでないほうが良い。

画像
iosv-2(config-router)#passive-interface gi0/1
iosv-3(config-router)#passive-interface gi0/1
画像

したがって、passive-interfaceを入れる。

結論

・SpokeはHubにだけ自サイトのプレフィックスを伝えたい(自サイトにEIGRPトラフィックを流したくない)ので、自サイトのプレフィックスのEIGRPを有効にしつつ自サイト側のインターフェースをPassive-Interfaceに指定する。
・なぜ自サイトにEIGRPトラフィックを流したくないか→帯域の圧迫になるし、不正にインターネット側のプレフィックスを入手される可能性が出てきてしまうから。

参考

CCIE Enterprise Infrastructure Foundation, 2nd Edition

3.3 DMVPN