资源描述
dmvpn实例+dhcp+rtr+route-map实用配置
上海和北京2个spoke点(cisco831)我在机房用一台设备做hub.公网ip后来编辑的有点乱大家对照top图看吧
dmvpn配置大家都熟悉的,路由策略大家看top图就清楚了,不过路由怎么走,包括做的NAT,花了我很长时间叶请教了资深的CCIE,经过测试ok现在拿出来和大家分享
ios ver:c831-k9o3sy6-mz.124-4.T4.bin
机房hub config (相关配置)
crypto isakmp policy 1
authentication pre-share
crypto isakmp key asiavest address 0.0.0.0 0.0.0.0
no crypto isakmp ccm
crypto ipsec transform-set set2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpn-prof
set transform-set set2
!
interface Tunnel1
bandwidth 512
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip nat inside
ip nhrp authentication asiavest
ip nhrp map multicast dynamic
ip nhrp network-id 66
ip nhrp holdtime 300
ip virtual-reassembly
ip policy route-map bj-xxx
delay 100000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile vpn-prof
!
interface FastEthernet0/0
ip address 210.243.aa.xx 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
!
interface FastEthernet0/1
ip address 210.17.bb.yy 255.255.255.224
duplex auto
speed auto
!
no ip classless
ip route 0.0.0.0 0.0.0.0 210.17.bb.ccc
ip route 192.168.1.0 255.255.255.0 10.255.255.3
ip route 192.168.2.0 255.255.255.0 10.255.255.2
ip route 218.242.dd.ff 255.255.255.255 210.17.bb.ccc
ip route 222.66.94.zz 255.255.255.252 210.17.bb.ccc
!
!
ip http server
no ip http secure-server
ip nat inside source list natuse interface FastEthernet0/0 overload
!
ip access-list extended natuse
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 115 deny ip 192.168.2.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 any
!
route-map bj-xxx permit 10
match ip address 115
set ip next-hop 210.243.hh.gg
!
北京831配置北京采用adsl connect internet!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.32 192.168.2.254
!
ip dhcp pool z
import all
network 192.168.2.0 255.255.255.0
dns-server 202.145.138.200 202.145.138.1 210.82.8.1 210.82.5.1
default-router 192.168.2.254
netbios-node-type h-node
!
!
ip cef
ip sla 1
icmp-echo 10.255.255.1 source-ip 10.255.255.2
timeout 2000
frequency 30
ip sla schedule 1 start-time now
vpdn enable
!
!
!
!
!
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key asiavest address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set set2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpn-prof
set transform-set set2
!
!
!
!
!
interface Tunnel1
bandwidth 512
ip address 10.255.255.2 255.255.255.0
no ip redirects
ip nhrp authentication asiavest
ip nhrp map 10.255.255.1 210.17.bb.yy
ip nhrp map multicast 210.17.bb.yy
ip nhrp network-id 66
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
load-interval 30
delay 100000
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile vpn-prof
!
interface Ethernet0
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1344
ip policy route-map xxx
!
interface Ethernet1
description WAN conn ADSL Modem
ip address dhcp
duplex auto
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
no ip address
!
ip classless
!
ip http server
no ip http secure-server
!
ip nat inside source list 199 interface Dialer1 overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
!
route-map xxx permit 10
match ip address 100
set ip next-hop 10.255.255.1
上海-831 有固定ip
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool z
import all
network 192.168.1.0 255.255.255.0
dns-server 202.145.138.200 202.145.138.1 210.82.8.1 210.82.5.1
default-router 192.168.1.1
netbios-node-type h-node
!
!
ip cef
ip sla 1
icmp-echo 10.255.255.1 source-ip 10.255.255.3
timeout 2000
frequency 30
ip sla schedule 1 start-time now
vpdn enable
!
!
!
!
!
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key asiavest address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set set2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpn-prof
set transform-set set2
!
!
!
!
!
interface Tunnel1
bandwidth 512
ip address 10.255.255.3 255.255.255.0
no ip redirects
ip nhrp authentication asiavest
ip nhrp map 10.255.255.1 210.17.bb.yyy
ip nhrp map multicast 210.17.bb.yyy
ip nhrp network-id 66
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
load-interval 30
delay 100000
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile vpn-prof
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1344
ip policy route-map yyy
!
interface Ethernet1
description WAN conn
ip address 222.66.aa.bb 255.255.255.252
duplex auto
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
no ip address
!
ip classless
!
ip http server
no ip http secure-server
!
ip nat inside source list 199 interface Ethernet1 overload
!
ip route 0.0.0.0 0.0.0.0 222.66.aa.ff
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
!
route-map yyy permit 10
match ip address 100
set ip next-hop 10.255.255.1
!
相关调试命令
show crypto ipsec sa
show crypto isakmp sa
show crypto se
show dmvpn
show ip nhrp traffic
展开阅读全文