DMVPN实验手册.docx
《DMVPN实验手册.docx》由会员分享,可在线阅读,更多相关《DMVPN实验手册.docx(12页珍藏版)》请在冰豆网上搜索。
DMVPN实验手册
DMVPN
实验:
VPN-DMVPN
HUB
HUB(config)#inttunnel0
HUB(config-if)#ipaddress172.16.1.100255.255.255.0
HUB(config-if)#tunnelsourcef0/0
HUB(config-if)#tunnelmodegremultipoint //隧道模式为gre多点
HUB(config-if)#tunnelkey123
---------------------------------mGRE配置---------------------------------------
HUB(config-if)#ipnhrpnetwork-id10 //激活NHRP,
HUB(config-if)#ipnhrpauthenticationcisco //激活NHRP认证
HUB(config-if)#ipnhrpmapmulticastdynamic //动态接收NHRP的组播映射(动态接收多重广播)
---------------------------------HNRP配置---------------------------------------
HUB(config)#routereigrp90
HUB(config-router)#noau
HUB(config-router)#net172.16.1.00.0.0.255
HUB(config-router)#net192.168.100.00.0.0.255
---------------------------------动态路由配置---------------------------------------
HUB(config)#inttunnel0
HUB(config-if)#noipsplit-horizoneigrp90 //关闭EIGRP水平分割,让其能够学习到其他分支站点之间的路由
---------------------------------关闭水平分割配置---------------------------------------
HUB(config)#inttunnel0
HUB(config-if)#noipnext-hop-selfeig90 //由于是Hub-and-Spoke拓扑结构,在spoke之间通信时,默认是通过Hub来转发的,配置此命令,sopke之间的路由下一跳直接指向相应的spoke的tunnel接口的IP地址
---------------------------------关闭下一跳配置---------------------------------------
HUB(config)#cryptoisakmppolicy10
HUB(config-isakmp)#authenticationpre-share
HUB(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0
//由于sopke端的IP地址未知,有可能通过ISP动态获得,所以采用动态方式,sopke端IP为0.0.0.0
HUB(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
HUB(cfg-crypto-trans)#modetransport
HUB(config)#cryptoipsecprofiledmvpn
HUB(ipsec-profile)#settransform-setcisco
HUB(config)#inttunnel0
HUB(config-if)#ipmtu1400
HUB(config-if)#tunnelprotectionipsecprofiledmvpn
---------------------------------IPSECVPN配置---------------------------------------
---------------------------------HUBEND---------------------------------------------
spoke1
spoke1(config)#inttunnel0
spoke1(config-if)#ipaddress172.16.1.1255.255.255.0
spoke1(config-if)#tunnelsourcef0/0
spoke1(config-if)#tunnelmodegremultipoint
spoke1(config-if)#tunnelkey123
spoke1(config-if)#ipnhrpnetwork-id10
spoke1(config-if)#ipnhrpauthenticationcisco
spoke1(config-if)#ipnhrpmap172.16.1.100202.100.1.100 //手动nhrp映射,映射中心站点的隧道虚拟IP到中心站点的公网IP,有了这个映射,分支站点才能访问中心站点
spoke1(config-if)#ipnhrpmapmulticast202.100.1.100 //mGRE是NBMA网咯,分支站点要和中心站点建立动态路由协议的邻居关系,必须在每一个分支站点,映射组播到中心站点的公网IP,这样才能够把分支站点的组播送到中心站点,并且可以看到分支站点间没有组播映射,所以分支站点间没有动态路由协议的邻居关系
spoke1(config-if)#ipnhrpnhs172.16.1.100 //nhs是nhrp的服务器,这个配置定义了nhrp服务器地址为中心站点的隧道接口虚拟地址172.16.1.100
---------------------------------HNRP配置---------------------------------------
spoke1(config)#routereig90
spoke1(config-router)#noau
spoke1(config-router)#net172.16.1.00.0.0.255
spoke1(config-router)#net192.168.1.00.0.0.255
---------------------------------动态路由配置---------------------------------------
spoke1(config)#cryptoisakmppolicy10
spoke1(config-isakmp)#authenticationpre-share
spoke1(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0
spoke1(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
spoke1(cfg-crypto-trans)#modetransport
spoke1(config)#cryptoipsecprofiledmvpn
spoke1(ipsec-profile)#settransform-setcisco
spoke1(config)#inttunnel0
spoke1(config-if)#ipmtu1400
spoke1(config-if)#tunnelprotectionipsecprofiledmvpn
---------------------------------IPSECVPN配置---------------------------------------
---------------------------------SPOKE1END------------------------------------------
Spoke2
spoke2(config)#inttunnel0
spoke2(config-if)#ipaddress172.16.1.2255.255.255.0
spoke2(config-if)#tunnelmodegremultipoint
spoke2(config-if)#tunnelsourcef0/0
spoke2(config-if)#tunnelkey123
spoke2(config-if)#ipnhrpnetwork-id10
spoke2(config-if)#ipnhrpauthenticationcisco
spoke2(config-if)#ipnhrpmap172.16.1.100202.100.1.100
spoke2(config-if)#ipnhrpmapmulticast202.100.1.100
spoke2(config-if)#ipnhrpnhs172.16.1.100
---------------------------------HNRP配置---------------------------------------
spoke2(config)#routereigrp90
spoke2(config-router)#noau
spoke2(config-router)#net172.16.1.00.0.0.255
spoke2(config-router)#net192.168.2.00.0.0.255
---------------------------------动态路由配置---------------------------------------
spoke2(config)#cryptoisakmppolicy10
spoke2(config-isakmp)#authenticationpre-share
spoke2(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0
spoke2(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
spoke2(cfg-crypto-trans)#modetransport
spoke2(config)#cryptoipsecprofiledmvpn
spoke2(ipsec-profile)#settransform-setcisco
spoke2(config)#inttunnel0
spoke2(config-if)#ipmtu1400
spoke2(config-if)#tunnelprotectionipsecprofiledmvpn
---------------------------------IPSECVPN配置---------------------------------------
---------------------------------SPOKE2END------------------------------------------
第三阶段DMVPN实验
HUB
HUB(config)#inttunnel0
HUB(config-if)#ipaddress172.16.1.100255.255.255.0
HUB(config-if)#tunnelsourcef0/0
HUB(config-if)#tunnelmodegremultipoint
HUB(config-if)#tunnelkey123
HUB(config-if)#ipnhrpnetwork-id10
HUB(config-if)#ipnhrpauthenticationcisco
HUB(config-if)#ipnhrpmapmulticastdynamic
HUB(config-if)#ipnhrpredirect //第三阶段DMVPN需要在HUB端启用NHRP重定向,这样中心站点才会给分支站点发送NHRP重定向信息来优化下一跳(第二阶段无这条命令)
---------------------------------MGRENHRP配置---------------------------------------
HUB(config)#routereig90
HUB(config-router)#noau
HUB(config-router)#net172.16.1.00.0.0.255 //(第二阶段还要宣告192.168.100.0)
HUB(config)#inttunnel0
HUB(config-if)#ipsummary-addresseig90192.168.0.0255.255.0.0
//这里不需要关闭水平分割,也不需要no掉 ipnext-hop-selfeigrp90来优化路由,只需要中心给所有的分支发送一条汇总路由
---------------------------------动态路由配置---------------------------------------
HUB(config)#cryptoisakmppolicy10
HUB(config-isakmp)#authenticationpre-share
HUB(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0
HUB(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
HUB(cfg-crypto-trans)#modetransport
HUB(config)#cryptoipsecprofiledmvpn
HUB(ipsec-profile)#settransform-setcisco
HUB(config)#inttunnel0
HUB(config-if)#ipmtu1400
HUB(config-if)#tunnelprotectionipsecprofiledmvpn
---------------------------------IPSECVPN配置---------------------------------------
---------------------------------HUBEND---------------------------------------------
spoke1
spoke1(config)#inttunnel0
spoke1(config-if)#ipaddress172.16.1.1255.255.255.0
spoke1(config-if)#tunnelsourcef0/0
spoke1(config-if)#tunnelmodegremultipoint
spoke1(config-if)#tunnelkey123
spoke1(config-if)#ipnhrpnetwork-id10
spoke1(config-if)#ipnhrpauthenticationcisco
spoke1(config-if)#ipnhrpmap172.16.1.100202.100.1.100
spoke1(config-if)#ipnhrpmapmulticast202.100.1.100
spoke1(config-if)#ipnhrpnhs172.16.1.100
spoke1(config-if)#ipnhrpshortcut //第三阶段DMVPN需要在所有分支站点启用NHRP短路,这样才能在分支站点间直接建立隧道(shortcut意为捷径,第二阶段无这条命令)
---------------------------------MGRENHRP配置---------------------------------------
spoke1(config)#routereig90
spoke1(config-router)#noau
spoke1(config-router)#net172.16.1.00.0.0.255
spoke1(config-router)#net192.168.1.00.0.0.255
---------------------------------动态路由配置---------------------------------------
spoke1(config)#cryptoisakmppolicy10
spoke1(config-isakmp)#authenticationpre-share
spoke1(config)#cryptoisakmpkey0ciscsoaddress0.0.0.00.0.0.0
spoke1(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
spoke1(cfg-crypto-trans)#modetransport
spoke1(config)#cryptoipsecprofiledmvpn
spoke1(ipsec-profile)#settransform-setcisco
spoke1(config)#inttunnel0
spoke1(config-if)#ipmtu1400
spoke1(config-if)#tunnelprotectionipsecprofiledmvpn
---------------------------------IPSECVPN配置---------------------------------------
---------------------------------SPOKE1END-----------------------------------------
sopke2
sopke2(config)#inttunnel0
sopke2(config-if)#ipaddress172.16.1.2255.255.255.0
sopke2(config-if)#tunnelsourcef0/0
sopke2(config-if)#tunnelmodegremultipoint
sopke2(config-if)#tunnelkey123
sopke2(config-if)#ipnhrpnetwork-id10
sopke2(config-if)#ipnhrpauthenticationcisco
sopke2(config-if)#ipnhrpmap172.16.1.100202.100.1.100
sopke2(config-if)#ipnhrpmapmulticast202.100.1.100
sopke2(config-if)#ipnhrpnhs172.16.1.100
sopke2(config-if)#ipnhrpshortcut
---------------------------------MGRENHRP配置---------------------------------------
sopke2(config)#routereig90
sopke2(config-router)#noau
sopke2(config-router)#net172.16.1.00.0.0.255
sopke2(config-router)#net192.168.2.00.0.0.255
---------------------------------动态路由配置---------------------------------------
sopke2(config)#cryptoisakmppolicy10
sopke2(config-isakmp)#authenticationpre-share
sopke2(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0
sopke2(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
sopke2(cfg-crypto-trans)#modetransport
sopke2(config)#cryptoipsecprofiledmvpn
sopke2(ipsec-profile)#settransform-setcisco
sopke2(config)#inttunnel0
sopke2(config-if)#ipmtu1400
sopke2(config-if)#tunnelprotectionipsecprofiledmvpn
---------------------------------IPSECVPN配置---------------------------------------
---------------------------------SPOKE2END-----------------------------------------
单云双中心
HUB1
HUB1(config)#cryptoisakmppolicy10
HUB1(config-isakmp)#authenticationpre-share
HUB1(config)#cryptoisakmpkey0ciscoaddress0.0.0.00.0.0.0 //由于spoke端的IP地址未知,有可能通过ISP动态获得,所以采用动态方式,sopke端IP为0.0.0.0
HUB1(config)#cryptoisakmpkeepalive10periodic
HUB1(config)#cryptoipsectransform-setciscoesp-desesp-md5-hmac
HUB1(cfg-crypto-trans)#modetransport
HUB1