DM***是思科私有的技術,
配置順序:
1.MGRE
R1
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
!在這裏不用定義目的,必須敲tunnel key只有敲了key它才up
R2
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
!
R3
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
!
2 NHRP 網絡下一跳解析協議,解決了物理IP和虛擬IP的映射,它需要一個server,這個server就是NHS,一般用HUB來做,分支必須得知道中心的IP映射
R1在t0下
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
!所用的network-id都要相同,NHS必須固定IP,客戶端的IP可以變動,客戶端一上線,就會註冊自己的真實IP和虛擬IP,任意站點間的通信是直接的,不經過中心站點
R2在t0下
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp nhs 172.16.1.100
ip nhrp network-id 10
R3在t0下
ip nhrp network-id 10
看註冊情況(如果沒有結果,將所有的T0sh/no sh)
r3#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:47:23, expire 01:48:27
Type: dynamic, Flags: unique nat registered
NBMA address: 202.100.1.1
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:46:47, expire 01:49:01
Type: dynamic, Flags: unique nat registered
NBMA address: 202.100.1.2
r3#
r1#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:45:51, expire 01:14:08
Type: dynamic, Flags: router unique nat local
NBMA address: 202.100.1.1
(no-socket)
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:45:52, expire 01:14:09
Type: dynamic, Flags: router nat
NBMA address: 202.100.1.2
172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:52:10, never expire
Type: static, Flags: nat used
NBMA address: 202.100.1.100
r1#
3 路由協議
實現組播宣告和EIGRP
R1在t0下
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.1.0
no auto-summary
!一定要關閉自動彙總,只需要宣告內網IP和GRE接口的IP
R2在t0下
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.2.0
no auto-summary
!
R3在t0下
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.100.0
no auto-summary
!
看EIGRP的鄰居(如果沒有鄰居,需要sh/no sh從中心站點開始打開各個站點的隧道接口所有路由器的T0接口,)
r3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.1.2 Tu0 12 01:04:31 90 5000 0 29
0 172.16.1.1 Tu0 11 01:05:03 65 5000 0 30
r3#
r1#
r1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.1.100 Tu0 11 01:05:37 145 5000 0 55
r1#
R1和R2互相學不到對方的路由,關閉R3T0口的水平分割,
no ip split-horizon eigrp 1
在這裏必須帶eigrp 1關鍵字,否則只對RIP起作用.
在R3T0接口下
no ip next-hop-self eigrp 1
它可以實現兩個分支的路由器學習到的路由條目自動調爲最優,是真實的下一跳,分支之間就可以互相通了,不一定非得經過中心路由器.
查R1和R2的路由表
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 202.100.1.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback0
D 192.168.2.0/24 [90/310172416] via 172.16.1.2, 01:13:00, Tunnel0
D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 01:13:32, Tunnel0
r1#
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 202.100.1.0/24 is directly connected, FastEthernet0/0
D 192.168.1.0/24 [90/310172416] via 172.16.1.1, 01:13:28, Tunnel0
C 192.168.2.0/24 is directly connected, Loopback0
D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 01:13:28, Tunnel0
r2#
4 ipsec ***
是一個標準的GRE over ipsec,用傳輸模式
R1、R2和R3的配置是一樣的
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 0 cisco address0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
interface Tunnel0
tunnel protection ipsec profile cisco
做完之後如果不通,SH/NO SH命令T0接口
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.100 202.100.1.2 QM_IDLE 1004 0 ACTIVE
202.100.1.100 202.100.1.1 QM_IDLE 1005 0 ACTIVE
IPv6 Crypto ISAKMP SA
r3#!中心知道到所有分支的遂道
r1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!.!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/44 ms
r1#
!分支之間的通信一開始是由中心轉的,後來雙方就直接通信,中間有可能會出現有包不通的情況,這是正常現象
r1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.2 202.100.1.1 QM_IDLE 1005 0 ACTIVE
202.100.1.1 202.100.1.2 QM_IDLE 1004 0 ACTIVE
202.100.1.100 202.100.1.1 MM_NO_STATE 1001 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
r1#在這裏***用傳輸模式就可以了,在這個環境當中只需要中心1個IP就可以了,其它的都可以是動態的地址,正是因爲客戶端的地址是變動的,所以無論分支還是中心,***的PEER用0.0.0.0來做.分支一開始只知道中心的遂道,分支之間是按需的,當有流量時分支之間纔會建立遂道。
路由器最後的配置
R1的配置
!
hostname r1
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex half
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.1.0
no auto-summary
!
R2的配置
!
hostname r2
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
duplex half
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.2.0
no auto-summary
!
R3的配置
!
hostname r3
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
interface Loopback0
ip address 192.168.100.1 255.255.255.0
!
!
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
no ip next-hop-self eigrp 1
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
ip nhrp network-id 10
no ip split-horizon eigrp 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 202.100.1.100 255.255.255.0
duplex half
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.100.0
no auto-summary
!