DOC

DMVPN

By Alice Spencer,2014-01-20 16:30
12 views 0
DMVPN

    Lab 1: DMVPN, dùng OSPF.

    R3 là Hub, R2 và R1 là Spoke

Cu hình router Hub R3.

R3#show run

!

    version 12.3

    hostname R3

    !

    crypto isakmp policy 20

     hash md5

     authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

    no crypto isakmp ccm

    !

    crypto ipsec transform-set VPN esp-des

    !

crypto ipsec profile VPN

     set transform-set VPN

    !

    interface Tunnel1

     ip address 1.1.1.10 255.255.255.0

     no ip redirects

     ip mtu 1416

     ip nhrp authentication cisco123

     ip nhrp map multicast dynamic

     ip nhrp network-id 99

     ip ospf network broadcast

     ip ospf hello-interval 30

     ip ospf priority 200

     tunnel source Serial0/1/0

     tunnel mode gre multipoint

     tunnel key 999

     tunnel protection ipsec profile VPN !

    ! Cng loopback thay thế cho LAN ca router HUB. interface Loopback0

     ip address 10.0.3.1 255.255.255.0

     ip ospf network point-to-point !

    interface Serial0/1/0

     ip address 172.30.3.2 255.255.255.0 !

    router ospf 1

     log-adjacency-changes

     passive-interface Serial0/1/0

     network 1.1.1.0 0.0.0.255 area 0

     network 10.0.3.0 0.0.0.255 area 0 !

    ip classless

    ip route 0.0.0.0 0.0.0.0 Serial0/1/0 !

    end

R2#show run

    !

    version 12.4

    !

    hostname R2

    !

    crypto isakmp policy 1

     hash md5

     authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

    !

    crypto ipsec transform-set VPN esp-des !

    crypto ipsec profile VPN

     set transform-set VPN

    !

    interface Loopback0

     ip address 10.0.2.1 255.255.255.0

     ip ospf network point-to-point !

    interface Tunnel0

     ip address 1.1.1.2 255.255.255.0

     no ip redirects

     ip mtu 1416

     ip nhrp authentication cisco123

     ip nhrp map 1.1.1.10 172.30.3.2

     ip nhrp network-id 99

     ip nhrp nhs 1.1.1.10

     ip nhrp cache non-authoritative

     ip ospf network broadcast

     ip ospf hello-interval 30

     ip ospf priority 0

     tunnel source FastEthernet0/0

     tunnel mode gre multipoint

     tunnel key 999

     tunnel protection ipsec profile VPN !

    interface FastEthernet0/0

     ip address 172.30.2.2 255.255.255.0

     duplex auto

     speed auto

    !

    router ospf 1

     log-adjacency-changes

     passive-interface FastEthernet0/0

     network 1.1.1.0 0.0.0.255 area 0

     network 10.0.2.0 0.0.0.255 area 0 !

    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 !

    end

R1#show run

    !

    version 12.4

!

    hostname R1

    !

    crypto isakmp policy 20

     hash md5

     authentication pre-share

    crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

    !

    crypto ipsec transform-set DMVPN-Transform esp-des

    !

    crypto ipsec profile DMVPN

     set transform-set DMVPN-Transform !

    interface Tunnel0

     ip address 1.1.1.1 255.255.255.0

     no ip redirects

     ip mtu 1416

     ip nhrp authentication cisco123

     ip nhrp map multicast 1.1.1.1

     ip nhrp map 1.1.1.10 172.30.3.2

     ip nhrp network-id 99

     ip nhrp nhs 1.1.1.10

     ip nhrp cache non-authoritative

     ip ospf network broadcast

     ip ospf hello-interval 30

     ip ospf priority 0

     tunnel source FastEthernet0/1

     tunnel mode gre multipoint

     tunnel key 999

     tunnel protection ipsec profile DMVPN !

    interface FastEthernet0/0

     ip address 10.0.1.12 255.255.255.0

     duplex auto

     speed auto

    !

    interface FastEthernet0/1

     ip address 172.30.1.2 255.255.255.0

     duplex auto

     speed auto

    !

    router ospf 1

     log-adjacency-changes

     passive-interface FastEthernet0/1

     network 1.1.1.0 0.0.0.255 area 0

     network 10.0.1.0 0.0.0.255 area 0

!

    ip route 0.0.0.0 0.0.0.0 172.30.1.1

    !

    end

Kim tra hoạt động

R3#show crypto map

    Crypto Map "Tunnel1-head-0" 65536 ipsec-isakmp

     Profile name: VPN

     Security association lifetime: 4608000 kilobytes/3600 seconds

     PFS (Y/N): N

     Transform sets={

     VPN,

     }

Crypto Map "Tunnel1-head-0" 65537 ipsec-isakmp

     Map is a PROFILE INSTANCE.

     Peer = 172.30.2.2

     Extended IP access list

     access-list permit gre host 172.30.3.2 host 172.30.2.2

     Current peer: 172.30.2.2

     Security association lifetime: 4608000 kilobytes/3600 seconds

     PFS (Y/N): N

     Transform sets={

     VPN,

     }

Crypto Map "Tunnel1-head-0" 65538 ipsec-isakmp

     Map is a PROFILE INSTANCE.

     Peer = 172.30.1.2

     Extended IP access list

     access-list permit gre host 172.30.3.2 host 172.30.1.2

     Current peer: 172.30.1.2

     Security association lifetime: 4608000 kilobytes/3600 seconds

     PFS (Y/N): N

     Transform sets={

     VPN,

     }

     Interfaces using crypto map Tunnel1-head-0:

     Tunnel1

R3# show crypto isa sa

    dst src state conn-id slot status 172.30.3.2 172.30.1.2 QM_IDLE 2 0 ACTIVE

    172.30.3.2 172.30.2.2 QM_IDLE 1 0 ACTIVE

R3#show ip nhrp

    1.1.1.1/32 via 1.1.1.1, Tunnel1 created 00:36:53, expire 01:46:29

     Type: dynamic, Flags: authoritative unique registered

     NBMA address: 172.30.1.2

    1.1.1.2/32 via 1.1.1.2, Tunnel1 created 00:51:42, expire 01:47:19

     Type: dynamic, Flags: authoritative unique registered

     NBMA address: 172.30.2.2

R3#show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 1 subnets

    C 1.1.1.0 is directly connected, Tunnel1

     172.30.0.0/24 is subnetted, 1 subnets

    C 172.30.3.0 is directly connected, Serial0/1/0

     10.0.0.0/24 is subnetted, 3 subnets

    O 10.0.2.0 [110/11112] via 1.1.1.2, 00:00:56, Tunnel1 C 10.0.3.0 is directly connected, Loopback0

    O 10.0.1.0 [110/11112] via 1.1.1.1, 00:00:56, Tunnel1 S* 0.0.0.0/0 is directly connected, Serial0/1/0

     ----------------------------------

    R2#show cry isa sa

    IPv4 Crypto ISAKMP SA

    dst src state conn-id slot status 172.30.1.2 172.30.2.2 QM_IDLE 1002 0 ACTIVE 172.30.3.2 172.30.2.2 QM_IDLE 1001 0 ACTIVE 172.30.2.2 172.30.1.2 QM_IDLE 1003 0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#show cry ipsec sa

interface: Tunnel0

     Crypto map tag: Tunnel0-head-0, local addr 172.30.2.2

     protected vrf: (none)

     local ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/47/0)

     remote ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0)

     current_peer 172.30.1.2 port 500

     PERMIT, flags={origin_is_acl,}

     #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24

     #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23

R2#show ip nhrp

    1.1.1.1/32 via 1.1.1.1, Tunnel0 created 00:37:07, expire 01:21:51

     Type: dynamic, Flags: router

     NBMA address: 172.30.1.2

    1.1.1.10/32 via 1.1.1.10, Tunnel0 created 00:53:55, never expire

     Type: static, Flags: nat used

     NBMA address: 172.30.3.2

R2#show ip route

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 1 subnets

    C 1.1.1.0 is directly connected, Tunnel0

     172.30.0.0/24 is subnetted, 1 subnets

    C 172.30.2.0 is directly connected, FastEthernet0/0

     10.0.0.0/24 is subnetted, 3 subnets

    C 10.0.2.0 is directly connected, Loopback0 O 10.0.3.0 [110/11112] via 1.1.1.10, 00:00:44, Tunnel0 O 10.0.1.0 [110/11112] via 1.1.1.1, 00:00:44, Tunnel0 S* 0.0.0.0/0 is directly connected, FastEthernet0/0

     ------------------------------------

R1#show ip nhrp

    1.1.1.2/32 via 1.1.1.2, Tunnel0 created 00:35:47, expire 01:08:22

     Type: dynamic, Flags: router

     NBMA address: 172.30.2.2

    1.1.1.10/32 via 1.1.1.10, Tunnel0 created 00:36:48, never expire

     Type: static, Flags: used

     NBMA address: 172.30.3.2

Lab 2: DMVPN dùng EIGRP

sh run

    Building configuration...

    Current configuration : 1658 bytes !

    version 12.3

    service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !

    hostname R3

    !

    crypto isakmp policy 20

     hash md5

     authentication pre-share

    crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

    !

crypto ipsec transform-set DMVPN-Transform esp-des

    !

    crypto ipsec profile DMVPN

     set transform-set DMVPN-Transform !

    interface Tunnel0

     ip address 172.16.1.3 255.255.255.0

     no ip redirects

     ip mtu 1416

     ip hold-time eigrp 1 35

     no ip next-hop-self eigrp 1

     ip nhrp authentication cisco123

     ip nhrp map 172.16.1.1 172.30.1.2

     ip nhrp map multicast 172.30.1.2

     ip nhrp network-id 99

     ip nhrp nhs 172.16.1.1

     no ip split-horizon eigrp 1

     tunnel source FastEthernet0/1

     tunnel mode gre multipoint

     tunnel key 999

     tunnel protection ipsec profile DMVPN !

    interface FastEthernet0/0

     ip address 10.0.3.2 255.255.255.0

     duplex auto

     speed auto

    !

    interface FastEthernet0/1

     ip address 172.30.3.2 255.255.255.0

     duplex auto

     speed auto

    !

    router eigrp 1

     network 10.0.0.0

     network 172.16.0.0

     no auto-summary

    !

    ip classless

    ip route 172.30.1.0 255.255.255.0 172.30.3.1

    ip route 172.30.2.0 255.255.255.0 172.30.3.1

    !

    end

R3#

R1#sh run

!

    version 12.3

    !

    hostname R1

    !

    !

    crypto isakmp policy 20

     hash md5

     authentication pre-share

    crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

    no crypto isakmp ccm

    !

    !

    crypto ipsec transform-set DMVPN-Transform esp-des

    !

    crypto ipsec profile DMVPN

     set transform-set DMVPN-Transform !

    interface Tunnel1

     ip address 172.16.1.1 255.255.255.0

     no ip redirects

     ip mtu 1416

     ip hold-time eigrp 1 35

     no ip next-hop-self eigrp 1

     ip nhrp authentication cisco123

     ip nhrp map multicast dynamic

     ip nhrp network-id 99

     no ip split-horizon eigrp 1

     tunnel source Serial0/2/0

     tunnel mode gre multipoint

     tunnel key 999

     tunnel protection ipsec profile DMVPN !

    interface FastEthernet0/0

     ip address 10.0.1.1 255.255.255.0

     duplex auto

     speed auto

    !

    interface Serial0/2/0

     ip address 172.30.1.2 255.255.255.0

     clockrate 64000

    !

    router eigrp 1

     network 10.0.0.0

     network 172.16.0.0

     no auto-summary

Report this document

For any questions or suggestions please email
cust-service@docsford.com