DMVPN实验手册

DMVPN实验：VPN-DMVPNHUBHUB(config)#inttunnel0HUB(config-if)#ipaddress172.16.1.100255.255.255.0HUB(config-if)#tunnelsourcef0/0HUB(config-if)#tunnelmodegremultipoint//隧道模式为gre多点HUB(config-if)#tunnelkey123---------------------------------mGRE配置---------------------------------------HUB(config-if)#ipnhrpnetwork-id10//激活NHRP，HUB(config-if)#ipnhrpauthenticationcisco//激活NHRP认证HUB(config-if)#ipnhrpmapmulticastdynamic//动态接收NHRP的组播映射（动态接收多重广播）---------------------------------HNRP配置---------------------------------------HUB(config)#routereigrp90HUB(config-router)#noauHUB(config-router)#net172.16.1.00.0.0.255HUB(config-router)#net192.168.100.00.0.0.255---------------------------------动态路由配置---------------------------------------HUB(config)#inttunnel0HUB(config-if)#noipsplit-horizoneigrp90//关闭EIGRP水平分割，让其能够学习到其他分支站点之间的路由---------------------------------关闭水平分割配置---------------------------------------HUB(config)#inttunnel0HUB(config-if)#noipnext-hop-selfeig90//由于是Hub-and-Spoke拓扑结构，在spoke之间通信时，默认是通过Hub来转发的，配置此命令，sopke之间的路由下一跳直接指向相应的spoke的tunnel接口的IP地址---------------------------------关闭下一跳配置---------------------------------------HUB(config)#cryptoisakmppolicy10HUB(config-isakmp)#authenticationpre-shareHUB(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0//由于sopke端的IP地址未知，有可能通过ISP动态获得，所以采用动态方式，sopke端IP为0.0.0.0HUB(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmacHUB(cfg-crypto-trans)#modetransportHUB(config)#cryptoipsecprofiledmvpnHUB(ipsec-profile)#settransform-setciscoHUB(config)#inttunnel0HUB(config-if)#ipmtu1400HUB(config-if)#tunnelprotectionipsecprofiledmvpn---------------------------------IPSECVPN配置------------------------------------------------------------------------HUBEND---------------------------------------------spoke1spoke1(config)#inttunnel0spoke1(config-if)#ipaddress172.16.1.1255.255.255.0spoke1(config-if)#tunnelsourcef0/0spoke1(config-if)#tunnelmodegremultipointspoke1(config-if)#tunnelkey123spoke1(config-if)#ipnhrpnetwork-id10spoke1(config-if)#ipnhrpauthenticationciscospoke1(config-if)#ipnhrpmap172.16.1.100202.100.1.100//手动nhrp映射，映射中心站点的隧道虚拟IP到中心站点的公网IP，有了这个映射，分支站点才能访问中心站点spoke1(config-if)#ipnhrpmapmulticast202.100.1.100//mGRE是NBMA网咯，分支站点要和中心站点建立动态路由协议的邻居关系，必须在每一个分支站点，映射组播到中心站点的公网IP，这样才能够把分支站点的组播送到中心站点，并且可以看到分支站点间没有组播映射，所以分支站点间没有动态路由协议的邻居关系spoke1(config-if)#ipnhrpnhs172.16.1.100//nhs是nhrp的服务器，这个配置定义了nhrp服务器地址为中心站点的隧道接口虚拟地址172.16.1.100---------------------------------HNRP配置---------------------------------------spoke1(config)#routereig90spoke1(config-router)#noauspoke1(config-router)#net172.16.1.00.0.0.255spoke1(config-router)#net192.168.1.00.0.0.255---------------------------------动态路由配置---------------------------------------spoke1(config)#cryptoisakmppolicy10spoke1(config-isakmp)#authenticationpre-sharespoke1(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0spoke1(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmacspoke1(cfg-crypto-trans)#modetransportspoke1(config)#cryptoipsecprofiledmvpnspoke1(ipsec-profile)#settransform-setciscospoke1(config)#inttunnel0spoke1(config-if)#ipmtu1400spoke1(config-if)#tunnelprotectionipsecprofiledmvpn---------------------------------IPSECVPN配置------------------------------------------------------------------------SPOKE1END------------------------------------------Spoke2spoke2(config)#inttunnel0spoke2(config-if)#ipaddress172.16.1.2255.255.255.0spoke2(config-if)#tunnelmodegremultipointspoke2(config-if)#tunnelsourcef0/0spoke2(config-if)#tunnelkey123spoke2(config-if)#ipnhrpnetwork-id10spoke2(config-if)#ipnhrpauthenticationciscospoke2(config-if)#ipnhrpmap172.16.1.100202.100.1.100spoke2(config-if)#ipnhrpmapmulticast202.100.1.100spoke2(config-if)#ipnhrpnhs172.16.1.100---------------------------------HNRP配置---------------------------------------spoke2(config)#routereigrp90spoke2(config-router)#noauspoke2(config-router)#net172.16.1.00.0.0.255spoke2(config-router)#net192.168.2.00.0.0.255---------------------------------动态路由配置---------------------------------------spoke2(config)#cryptoisakmppolicy10spoke2(config-isakmp)#authenticationpre-sharespoke2(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0spoke2(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmacspoke2(cfg-crypto-trans)#modetransportspoke2(config)#cryptoipsecprofiledmvpnspoke2(ipsec-profile)#settransform-setciscospoke2(config)#inttunnel0spoke2(config-if)#ipmtu1400spoke2(config-if)#tunnelprotectionipsecprofiledmvpn---------------------------------IPSECVPN配置------------------------------------------------------------------------SPOKE2END------------------------------------------第三阶段DMVPN实验HUBHUB(config)#inttunnel0HUB(config-if)#ipaddress172.16.1.100255.255.255.0HUB(config-if)#tunnelsourcef0/0HUB(config-if)#tunnelmodegremultipointHUB(config-if)#tunnelkey123HUB(config-if)#ipnhrpnetwork-id10HUB(config-if)#ipnhrpauthenticationciscoHUB(config-if)#ipnhrpmapmulticastdynamicHUB(config-if)#ipnhrpredirect//第三阶段DMVPN需要在HUB端启用NHRP重定向，这样中心站点才会给分支站点发送NHRP重定向信息来优化下一跳（第二阶段无这条命令）---------------------------------MGRENHRP配置---------