NHRP 相當於ARP
邏輯地址: 虛擬地址
物理地址: 公網IP
--------------------------
配置實例1
---Hub -----------------------------
enable
configure terminal
hostname Hub
interface fastethernet 0/1
description to-lan
ip address 192.168.100.1 255.255.255.0
no shutdown
interface fastethernet 0/0
description to-ct
ip address 202.100.1.100 255.255.255.0
no shutdown
exit
!
interface tunnel 0
ip address 172.16.1.100 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel key fnetlink123
ip nhrp network-id 10
ip nhrp authentication fnetlink
ip nhrp map multicast dynamic
no ip split-horizon eigrp 100
no ip next-hop-self eigrp 100
ip mtu 1400
tunnel protection ipsec profile dmvpn-profile
!
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.100.0 0.0.0.255
!
crypto isakmp policy 10
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86000
exit
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-profile
set transform-set cisco
!
--Spoke1 -----------------------
enable
configure terminal
hostname Spoke1
interface fastethernet 0/1
description to-lan
ip address 192.168.1.1 255.255.255.0
no shutdown
interface fastethernet 0/0
description to-ct
ip address 202.100.1.1 255.255.255.0
no shutdown
exit
!
interface tunnel 0
ip address 172.16.1.1 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel key fnetlink123
ip nhrp network-id 10
ip nhrp authentication fnetlink
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp nhs 172.16.1.100
ip mtu 1400
tunnel protection ipsec profile dmvpn-profile
!
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
!
crypto isakmp policy 10
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86000
exit
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-profile
set transform-set ciso
!
--Spoke2 -----------------------
enable
configure terminal
hostname Spoke2
interface fastethernet 0/1
description to-lan
ip address 192.168.2.1 255.255.255.0
no shutdown
interface fastethernet 0/0
description to-ct
ip address 202.100.1.2 255.255.255.0
no shutdown
exit
!
interface tunnel 0
ip address 172.16.1.2 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel key fnetlink123
ip nhrp network-id 10
ip nhrp authentication fnetlink
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp nhs 172.16.1.100
ip mtu 1400
tunnel protection ipsec profile dmvpn-profile
!
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
!
crypto isakmp policy 10
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86000
exit
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-profile
set transform-set cisco
!
=======================================
ping 192.168.2.1 source 192.168.1.1 re 100
=====================================================
配置實例2
---Hub -----------------------------
enable
configure terminal
hostname Hub
interface fastethernet 0/1
ip address 192.168.100.1 255.255.255.0
no shutdown
interface fastethernet 0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
exit
!
interface tunnel 0
ip address 172.16.1.100 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel key fnetlink123
ip nhrp network-id 10
ip nhrp authentication fnetlink
ip nhrp map multicast dynamic
ip nhrp redirect
ip mtu 1400
tunnel protection ipsec profile dmvpn-profile
ip summary-address eigrp 100 192.168.0.0 255.255.0.0
!
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
!
crypto isakmp policy 10
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86000
exit
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-profile
set transform-set cisco
!
--Spoke1 -----------------------
enable
configure terminal
hostname Spoke1
interface fastethernet 0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
interface fastethernet 0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
exit
!
interface tunnel 0
ip address 172.16.1.1 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel key fnetlink123
ip nhrp network-id 10
ip nhrp authentication fnetlink
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp nhs 172.16.1.100
ip nhrp shortcut
ip mtu 1400
tunnel protection ipsec profile dmvpn-profile
!
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
!
crypto isakmp policy 10
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86000
exit
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-profile
set transform-set ciso
!
--Spoke2 -----------------------
enable
configure terminal
hostname Spoke2
interface fastethernet 0/1
ip address 192.168.2.1 255.255.255.0
no shutdown
interface fastethernet 0/0
ip address 202.100.1.2 255.255.255.0
no shutdown
exit
!
interface tunnel 0
ip address 172.16.1.2 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel key fnetlink123
ip nhrp network-id 10
ip nhrp authentication fnetlink
ip nhrp map 172.16.1.100 202.100.1.100
ip nhrp map multicast 202.100.1.100
ip nhrp nhs 172.16.1.100
ip nhrp shortcut
ip mtu 1400
tunnel protection ipsec profile dmvpn-profile
!
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
!
crypto isakmp policy 10
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86000
exit
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-profile
set transform-set cisco
!
==========================================
ping 192.168.2.1 source 192.168.1.1 repeat 100