1.基本IP配置
R1:
int s1/0
ip add 15.1.1.1 255.255.255.0
no sh
int loo 0
ip add 1.1.1.1 255.255.255.255
ip route 0.0.0.0 0.0.0.0 15.1.1.5
R2:
int s1/1
ip add 25.1.1.2 255.255.255.0
no sh
int loo 0
ip add 2.2.2.2 255.255.255.255
ip route 0.0.0.0 0.0.0.0 25.1.1.5
R3:
int s1/2
ip add 35.1.1.3 255.255.255.0
no sh
int loo 0
ip add 3.3.3.3 255.255.255.255
ip rout 0.0.0.0 0.0.0.0 35.1.1.5
R4:
int s1/3
ip add 45.1.1.4 255.255.255.0
no sh
int loo 0
ip add 4.4.4.4 255.255.255.255
ip route 0.0.0.0 0.0.0.0 45.1.1.5
2.MGRE
R1:
int tunnel 0
tunnel mode gre multipoint
tunnel source 15.1.1.1
ip add 10.1.1.1 255.255.255.0
R2:
int tunnel 0
tunnel mode gre multipoint
tunnel source 25.1.1.2
ip add 10.1.1.2 255.255.255.0
R3:
int tunnel 0
tunnel mode gre multipoint
tunnel source 35.1.1.3
ip add 10.1.1.3 255.255.255.0
R4:
int tunnel 0
tunnel mode gre multipoint
tunnel source 45.1.1.4
ip add 10.1.1.4 255.255.255.0
3.NHRP
在hub(R1)上配置
int tunnel 0
ip nhrp network -id 1234
ip nhrp map multicast dynamic
在spoke(R2/R3/R4)上的配置
R2:
int tunnel 0
ip nhrp network-id 1234
ip nhrp map 10.1.1.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp nhs 10.1.1.1
show dmvpn
R3:
int tunnel 0
ip nhrp network-id 1234
ip nhrp map 10.1.1.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp nhs 10.1.1.1
R4:
int tunnel 0
ip nhrp network-id 1234
ip nhrp map 10.1.1.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp nhs 10.1.1.1
4.动态路由协议配置
R1:
router ospf 1
router-id 1.1.1.1
network 10.1.1.1 0.0.0.0 a 0
network 1.1.1.1 0.0.0.0 a 0
R2:
router ospf 1
router-id 2.2.2.2
network 10.1.1.2 0.0.0.0 a 0
network 2.2.2.2 0.0.0.0 a 0
R3:
router ospf 1
router-id 3.3.3.3
network 10.1.1.3 0.0.0.0 a 0
network 3.3.3.3 0.0.0.0 a 0
R4:
router ospf 1
router-id 4.4.4.4
network 10.1.1.4 0.0.0.0 a 0
network 4.4.4.4 0.0.0.0 a 0
不能将公网接口通告给邻居,不然会引起邻居间邻接关系翻滚
如果是eigrp,tunnel口需要关闭水平分割;(如果不关闭水平分割,R1能接收到R2/R3/R4的路由,但R2/R3/R4都仅能学到R1的路由)。所以需要在tunnel 接口关闭水平分割;
在hub上配置:
int tunnel 0
no ip split-horizon eigrp 1
将tunnel接口的ospf网络类型改为point to mutipoint
R1:
int tunnel 0
ip ospf network point-to-multipoint
R2:
int tunnel 0
ip ospf network point-to-multipoint
R3:
int tunnel 0
ip ospf network point-to-multipoint
R4:
int tunnel 0
ip ospf network point-to-multipoint
此时由R2 tracert R3 或者R4都会经过R1,使用优化下一跳来进行调整;
5.优化下一跳
hub:(R1)
ip nhrp redirect
spoke:(R2/R3/R4)
ip nhrp shortcut
由R4 tracert R3 :第一次会经由R1到R3,因为要查询R4的tunnel 0接口地址和它(R4)所对应的公网地址,然后进行重定向(不是路由协议的重定向,是tunnel 的重定向)nhrp直接进行重定向;
R3 上show dmvpn
R2 R3在和R4通信时,会向R1去查询这条信息(tunnel口信息10.1.1.4 公网接口是45.1.1.4),R2 和R3就会知道R4 的公网地址和tunnel地址,在传播数据时就可以直接封装它的(R4)公网地址;后续的所有报文直接进行交互,不用通过hub;
6.Ipsec vpn
R1:
crypto isakmp policy 10
encr aes
hash md5
authenticaton pre-share
group 2
lifetime 3600
crypto isakmp key 6 CCIE55 address 0.0.0.0
crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
mode tra
crypto ipsec profile MYPROFILE
set transform-set CCIE55
int tunnel 0
tunnel protection ipsec pro MYPROFILE
R2:
R1:
crypto isakmp policy 10
encr aes
hash md5
authenticaton pre-share
group 2
lifetime 3600
crypto isakmp key 6 CCIE55 address 0.0.0.0
crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
mode tra
crypto ipsec profile MYPROFILE
set transform-set CCIE55
int tunnel 0
tunnel protection ipsec pro MYPROFILE
R3:
R1:
crypto isakmp policy 10
encr aes
hash md5
authenticaton pre-share
group 2
lifetime 3600
crypto isakmp key 6 CCIE55 address 0.0.0.0
crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
mode tra
crypto ipsec profile MYPROFILE
set transform-set CCIE55
int tunnel 0
tunnel protection ipsec pro MYPROFILE
R4:
R1:
crypto isakmp policy 10
encr aes
hash md5
authenticaton pre-share
group 2
lifetime 3600
crypto isakmp key 6 CCIE55 address 0.0.0.0
crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
mode tra
crypto ipsec profile MYPROFILE
set transform-set CCIE55
int tunnel 0
tunnel protection ipsec pro MYPROFILE
