1、 dmvpn实例+dhcp+rtr+route-map实用配置 上海和北京2个spoke点(cisco831)我在机房用一台设备做hub.公网ip后来编辑的有点乱大家对照top图看吧 dmvpn配置大家都熟悉的,路由策略大家看top图就清楚了,不过路由怎么走,包括做的NAT,花了我很长时间叶请教了资深的CCIE,经过测试ok现在拿出来和大家分享 ios ver:c831-k9o3sy6-mz.124-4.T4.bin 机房hub config (相关配置) crypto isakmp policy 1 authentication pre-share cr
2、ypto isakmp key asiavest address 0.0.0.0 0.0.0.0 no crypto isakmp ccm crypto ipsec transform-set set2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpn-prof set transform-set set2 ! interface Tunnel1 bandwidth 512 ip address 10.255.255.1 255.255.255.0 no ip redirects i
3、p nat inside ip nhrp authentication asiavest ip nhrp map multicast dynamic ip nhrp network-id 66 ip nhrp holdtime 300 ip virtual-reassembly ip policy route-map bj-xxx delay 100000 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 6 tunnel protection ipsec profile vpn-pro
4、f ! interface FastEthernet0/0 ip address 210.243.aa.xx 255.255.255.224 ip nat outside ip virtual-reassembly duplex auto speed 10 ! interface FastEthernet0/1 ip address 210.17.bb.yy 255.255.255.224 duplex auto speed auto ! no ip classless ip route 0.0.0.0 0.0.0.0 210.17.bb.ccc ip rout
5、e 192.168.1.0 255.255.255.0 10.255.255.3 ip route 192.168.2.0 255.255.255.0 10.255.255.2 ip route 218.242.dd.ff 255.255.255.255 210.17.bb.ccc ip route 222.66.94.zz 255.255.255.252 210.17.bb.ccc ! ! ip http server no ip http secure-server ip nat inside source list natuse interface FastEtherne
6、t0/0 overload ! ip access-list extended natuse permit ip 192.168.1.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 any ! access-list 115 deny ip 192.168.1.0 0.0.0.255 192.0.0.0 0.255.255.255 access-list 115 deny ip 192.168.2.0 0.0.0.255 192.0.0.0 0.255.255.255 access-list 115 permit ip 192.1
7、68.1.0 0.0.0.255 any access-list 115 permit ip 192.168.2.0 0.0.0.255 any ! route-map bj-xxx permit 10 match ip address 115 set ip next-hop 210.243.hh.gg ! 北京831配置北京采用adsl connect internet! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.2.32 192.168.2.254 ! ip dhcp pool
8、z import all network 192.168.2.0 255.255.255.0 dns-server 202.145.138.200 202.145.138.1 210.82.8.1 210.82.5.1 default-router 192.168.2.254 netbios-node-type h-node ! ! ip cef ip sla 1 icmp-echo 10.255.255.1 source-ip 10.255.255.2 timeout 2000 frequency 30 ip sla schedule 1 start-time
9、now vpdn enable ! ! ! ! ! ! track 1 rtr 1 reachability ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key asiavest address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set set2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpn-prof set transform-se
10、t set2 ! ! ! ! ! interface Tunnel1 bandwidth 512 ip address 10.255.255.2 255.255.255.0 no ip redirects ip nhrp authentication asiavest ip nhrp map 10.255.255.1 210.17.bb.yy ip nhrp map multicast 210.17.bb.yy ip nhrp network-id 66 ip nhrp holdtime 300 ip nhrp nhs 10.255.255.1 load-in
11、terval 30 delay 100000 tunnel source Ethernet1 tunnel mode gre multipoint tunnel key 6 tunnel protection ipsec profile vpn-prof ! interface Ethernet0 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1344 ip policy route-map xxx ! interface Et
12、hernet1 description WAN conn ADSL Modem ip address dhcp duplex auto ! interface Ethernet2 no ip address shutdown ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEth
13、ernet4 duplex auto speed auto ! interface Dialer1 no ip address ! ip classless ! ip http server no ip http secure-server ! ip nat inside source list 199 interface Dialer1 overload ! access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 199 permit ip 192.168.2.0 0.0.0.255 any
14、 ! route-map xxx permit 10 match ip address 100 set ip next-hop 10.255.255.1 上海-831 有固定ip no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool z import all network 192.168.1.0 255.255.255.0 dns-server 202.145.138.200 202.145.138.1 210.82.8.1 2
15、10.82.5.1 default-router 192.168.1.1 netbios-node-type h-node ! ! ip cef ip sla 1 icmp-echo 10.255.255.1 source-ip 10.255.255.3 timeout 2000 frequency 30 ip sla schedule 1 start-time now vpdn enable ! ! ! ! ! ! track 1 rtr 1 reachability ! ! crypto isakmp policy 1 authentica
16、tion pre-share crypto isakmp key asiavest address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set set2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpn-prof set transform-set set2 ! ! ! ! ! interface Tunnel1 bandwidth 512 ip address 10.255.255.3 255.255.255.0 no ip re
17、directs ip nhrp authentication asiavest ip nhrp map 10.255.255.1 210.17.bb.yyy ip nhrp map multicast 210.17.bb.yyy ip nhrp network-id 66 ip nhrp holdtime 300 ip nhrp nhs 10.255.255.1 load-interval 30 delay 100000 tunnel source Ethernet1 tunnel mode gre multipoint tunnel key 6 tunnel prot
18、ection ipsec profile vpn-prof ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1344 ip policy route-map yyy ! interface Ethernet1 description WAN conn ip address 222.66.aa.bb 255.255.255.252 duplex auto ! interface Ethern
19、et2 no ip address shutdown ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Dialer1 no ip address ! ip classless ! i
20、p http server no ip http secure-server ! ip nat inside source list 199 interface Ethernet1 overload ! ip route 0.0.0.0 0.0.0.0 222.66.aa.ff ! access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 199 permit ip 192.168.1.0 0.0.0.255 any ! route-map yyy permit 10 match ip address 100 set ip next-hop 10.255.255.1 ! 相关调试命令 show crypto ipsec sa show crypto isakmp sa show crypto se show dmvpn show ip nhrp traffic






