DM×××是思科私有的技术,
配置顺序:
1.MGRE
R1
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
!在这里不用定义目的,必须敲tunnel key只有敲了key它才up
R2
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
!
R3
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
!
2 NHRP 网络下一跳解析协议,解决了物理IP和虚拟IP的映射,它需要一个server,这个server就是NHS,一般用HUB来做,分支必须得知道中心的IP映射
R1在t0下
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
!所用的network-id都要相同,NHS必须固定IP,客户端的IP可以变动,客户端一上线,就会注册自己的真实IP和虚拟IP,任意站点间的通信是直接的,不经过中心站点
R2在t0下
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp nhs 172.16.1.100
ip nhrp network-id 10
R3在t0下
ip nhrp network-id 10
看注册情况(如果没有结果,将所有的T0sh/no sh)
r3#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:47:23, expire 01:48:27
Type: dynamic, Flags: unique nat registered
NBMA address: 202.100.1.1
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:46:47, expire 01:49:01
Type: dynamic, Flags: unique nat registered
NBMA address: 202.100.1.2
r3#
r1#show ip nhrp
172.16.1.1/32 via 172.16.1.1, Tunnel0 created 00:45:51, expire 01:14:08
Type: dynamic, Flags: router unique nat local
NBMA address: 202.100.1.1
(no-socket)
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 00:45:52, expire 01:14:09
Type: dynamic, Flags: router nat
NBMA address: 202.100.1.2
172.16.1.100/32 via 172.16.1.100, Tunnel0 created 00:52:10, never expire
Type: static, Flags: nat used
NBMA address: 202.100.1.100
r1#
3 路由协议
实现组播宣告和EIGRP
R1在t0下
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.1.0
no auto-summary
!一定要关闭自动汇总,只需要宣告内网IP和GRE接口的IP
R2在t0下
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.2.0
no auto-summary
!
R3在t0下
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.100.0
no auto-summary
!
看EIGRP的邻居(如果没有邻居,需要sh/no sh从中心站点开始打开各个站点的隧道接口所有路由器的T0接口,)
r3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.1.2 Tu0 12 01:04:31 90 5000 0 29
0 172.16.1.1 Tu0 11 01:05:03 65 5000 0 30
r3#
r1#
r1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.1.100 Tu0 11 01:05:37 145 5000 0 55
r1#
R1和R2互相学不到对方的路由,关闭R3T0口的水平分割,
no ip split-horizon eigrp 1
在这里必须带eigrp 1关键字,否则只对RIP起作用.
在R3T0接口下
no ip next-hop-self eigrp 1
它可以实现两个分支的路由器学习到的路由条目自动调为最优,是真实的下一跳,分支之间就可以互相通了,不一定非得经过中心路由器.
查R1和R2的路由表
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 202.100.1.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback0
D 192.168.2.0/24 [90/310172416] via 172.16.1.2, 01:13:00, Tunnel0
D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 01:13:32, Tunnel0
r1#
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 202.100.1.0/24 is directly connected, FastEthernet0/0
D 192.168.1.0/24 [90/310172416] via 172.16.1.1, 01:13:28, Tunnel0
C 192.168.2.0/24 is directly connected, Loopback0
D 192.168.100.0/24 [90/297372416] via 172.16.1.100, 01:13:28, Tunnel0
r2#
4 ipsec ***
是一个标准的GRE over ipsec,用传输模式
R1、R2和R3的配置是一样的
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 0 cisco address0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
interface Tunnel0
tunnel protection ipsec profile cisco
做完之后如果不通,SH/NO SH命令T0接口
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.100 202.100.1.2 QM_IDLE 1004 0 ACTIVE
202.100.1.100 202.100.1.1 QM_IDLE 1005 0 ACTIVE
IPv6 Crypto ISAKMP SA
r3#!中心知道到所有分支的遂道
r1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!.!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/44 ms
r1#
!分支之间的通信一开始是由中心转的,后来双方就直接通信,中间有可能会出现有包不通的情况,这是正常现象
r1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.2 202.100.1.1 QM_IDLE 1005 0 ACTIVE
202.100.1.1 202.100.1.2 QM_IDLE 1004 0 ACTIVE
202.100.1.100 202.100.1.1 MM_NO_STATE 1001 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
r1#在这里×××用传输模式就可以了,在这个环境当中只需要中心1个IP就可以了,其它的都可以是动态的地址,正是因为客户端的地址是变动的,所以无论分支还是中心,×××的PEER用0.0.0.0来做.分支一开始只知道中心的遂道,分支之间是按需的,当有流量时分支之间才会建立遂道。
路由器最后的配置
R1的配置
!
hostname r1
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex half
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.1.0
no auto-summary
!
R2的配置
!
hostname r2
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
duplex half
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.2.0
no auto-summary
!
R3的配置
!
hostname r3
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address0.0.0.0 0.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
!
interface Loopback0
ip address 192.168.100.1 255.255.255.0
!
!
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
no ip next-hop-self eigrp 1
ip nhrp map multicast dynamic
ip nhrp map multicast 202.100.1.100
ip nhrp network-id 10
no ip split-horizon eigrp 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 202.100.1.100 255.255.255.0
duplex half
!
router eigrp 1
network 172.16.1.00.0.0.255
network 192.168.100.0
no auto-summary
!