IT技术互动交流平台

用Cisco DMVPN构建高扩展的网络

作者:yanchangqing  发布日期:2013-01-04 09:00:54

简要介绍

用IPSec隧道在Internet上进行安全的数据传输,是目前公司总部与分支通讯的主要解决方案。DMVPN是一种非常具有扩展性的解决方案,它有很多优点,比如,简单的hub和spoke配置提供了Full-mesh的连通性,可以支持spoke端的动态地址,增加新的spoke端时,无须更改hub配置,spoke到spoke的流量不占用hub带宽,支持动态路由协议和从hub到spoke的组播,支持多个VPN中心设备的负载均衡等特点,主要用到了2个技术:多点GRE即MGRE和下一跳解析协议即NHRP。

下面是基本的DMVPN的配置,同时结合ADSL拨号,DDNS配置。

 

一、拓扑:

 


 

说明:只要能上网就可以做DDNS相关配置,图中的Gateway桥接到本机Vmnet1,同时,把本地连接/无线网络连接共享给Vmnet1,如果没有动态域名就要先去相关网站申请。

 

 

附配置:


R1_Branch1#sh run

hostname R1_Branch1
!
ip name-server 202.106.0.20 
ip ddns update method cisco
 HTTP
  add http://jackyan1:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
  remove http://jackyan1:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
!

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac

 mode transport
!
crypto ipsec profile IPSECPRO
 set transform-set myset
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point   
!
interface Tunnel0
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 192.168.1.6 69.1.1.6
 ip nhrp map multicast 69.1.1.6
 ip nhrp network-id 30599
 ip nhrp nhs 192.168.1.6
 ip nhrp cache non-authoritative
 ip ospf network broadcast        
 ip ospf priority 0
 tunnel source Dialer1
 tunnel mode gre multipoint  
 tunnel key 123
 tunnel protection ipsec profile IPSECPRO
!
interface FastEthernet0/0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip ddns update hostname jackyansite1.f3322.org
 ip ddns update cisco
 ip address negotiated
 ip mtu 1490
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username user1 password 0 cisco
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

 

###########################################################################

 

R3_Branch2#sh run
Building configuration...
version 12.4

hostname R3_Branch2

ip name-server 202.106.0.20
ip ddns update method cisco
 HTTP
  add http://jackyan2:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
  remove http://jackyan2:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO

!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile IPSECPRO
 set transform-set myset
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip ospf network point-to-point
!
interface Tunnel0
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 192.168.1.6 69.1.1.6
 ip nhrp map multicast 69.1.1.6
 ip nhrp network-id 30599
 ip nhrp nhs 192.168.1.6
 ip nhrp cache non-authoritative
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile IPSECPRO
!
interface FastEthernet0/0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip ddns update hostname jackyansite2.f3322.org
 ip ddns update cisco
 ip address negotiated
 ip mtu 1490
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username user2 password 0 cisco
!
router ospf 1
 log-adjacency-changes
 network 3.3.3.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent


############################################################################

R6_Center#sh run
Building configuration...

version 12.4
!
hostname R6_Center

!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile IPSECPRO
 set transform-set myset
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.0
 ip ospf network point-to-point
!
interface Tunnel0
 ip address 192.168.1.6 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 30599
 ip nhrp cache non-authoritative
 ip ospf network broadcast
 ip ospf priority 100
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile IPSECPRO

!
interface Serial1/0
 ip address 69.1.1.6 255.255.255.0
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool pool3
 ppp authentication pap
!
router ospf 1
 log-adjacency-changes
 network 6.6.6.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 69.1.1.9


##############################################################################
R2_ISPA#sh run

hostname R2_ISPA
!
username user1 password 0 cisco
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 pppoe enable group global

!
interface Serial1/0
 ip address 29.1.1.2 255.255.255.0

interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool pool1
 ppp authentication pap
!
ip local pool pool1 111.1.1.1 111.1.1.100
ip route 0.0.0.0 0.0.0.0 29.1.1.9


###############################################################################

R4_ISPB#sh run

version 12.4

hostname R4_ISPB
!
username user2 password 0 cisco

bba-group pppoe global
 virtual-template 1
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 pppoe enable group global

!
interface Serial1/0
 ip address 49.1.1.4 255.255.255.0

!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool pool2
 ppp authentication pap
!
ip local pool pool2 112.1.1.1 112.1.1.100
ip route 0.0.0.0 0.0.0.0 49.1.1.9

 

#############################################################################


Internet#sh run

hostname Internet

interface FastEthernet0/0
 ip address 192.168.0.250 255.255.255.0
 ip nat outside
!
interface Serial1/0
 ip address 29.1.1.9 255.255.255.0
 ip nat inside
!
interface Serial1/1
 ip address 49.1.1.9 255.255.255.0
 ip nat inside

interface Serial1/2
 ip address 69.1.1.9 255.255.255.0

!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 111.1.1.0 255.255.255.0 29.1.1.2
ip route 112.1.1.0 255.255.255.0 49.1.1.4
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
 permit ip any host 202.106.0.20   (DNS服务器)
 permit ip any 61.160.0.0 0.0.255.255 (DDNS服务提供商)

 

#############################################################################

 

后记:DMVPN不是很稳定,如果出现异常问题,请将隧道口shutdown,然后先从hub端开始no shutdown,如果没有生效,请检查配置。www.it165.net

验证:
R6_Center:
R6_Center#sh ip nhrp
192.168.1.1/32 via 192.168.1.1, Tunnel0 created 00:00:13, expire 01:59:46
  Type: dynamic, Flags: unique registered used
  NBMA address: 111.1.1.1
192.168.1.3/32 via 192.168.1.3, Tunnel0 created 00:00:11, expire 01:59:48
  Type: dynamic, Flags: unique registered used
  NBMA address: 112.1.1.1

R1_Branch1#sh ip route os
     3.0.0.0/24 is subnetted, 1 subnets
O       3.3.3.0 [110/11112] via 192.168.1.3, 00:11:22, Tunnel0
     6.0.0.0/24 is subnetted, 1 subnets

O       6.6.6.0 [110/11112] via 192.168.1.6, 00:11:12, Tunnel0

 


 

延伸阅读:

Tag标签: Cisco   DMVPN   高扩展  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规