DM×××的優點:
1.中心路由不需要爲每個分支站點單獨建立一個gre隧道和crypto map 條目,簡化ipsec配置
2.中心站點不需要知道分支站點的細節,即使增加分支站點,中心站點也不需要額外的配置
3.分支站點可以動態的學習端口信息
注意:
1.一般工作的地址轉換設備前面,在後需要一個公網ip
2.如果工作的ios路由器上,需建立靜態轉化
要求:
1.全網互通
2.分支站點訪問分支站點,不走中心站點,直接訪問分支
3.動態學習內部的路由
4.實現分支到中心站點的高可用性
配置:
HUB1: 主
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip ospf network broadcast
ip ospf priority 10
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile liang
interface Ethernet0/0
ip address 199.1.1.1 255.255.255.0
half-duplex
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 199.1.1.3
HUB2: 副
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 199.1.1.1
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1
ip ospf network broadcast
ip ospf priority 5
delay 1000
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile liang
interface Ethernet0/1
ip address 191.1.1.1 255.255.255.0
half-duplex
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 1
network 192.168.10.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 191.1.1.3
SPOKE1
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.4 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 199.1.1.1
ip nhrp map multicast 199.1.1.1
ip nhrp map 10.0.0.2 191.1.1.1
ip nhrp map multicast 191.1.1.1
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Ethernet0/2
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile liang
interface Ethernet0/2
ip address 202.1.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
router ospf 10
router-id 4.4.4.4
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 1
network 192.168.2.0 0.0.0.255 area 1
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 202.1.1.3
SPOKE2
interface Loopback0
ip address 192.168.3.5 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.5 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 199.1.1.1
ip nhrp map multicast 199.1.1.1
ip nhrp map 10.0.0.2 191.1.1.1
ip nhrp map multicast 191.1.1.1
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Ethernet0/3
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile liang
interface Ethernet0/3
ip address 203.1.1.1 255.255.255.0
half-duplex
!
router ospf 10
router-id 5.5.5.5
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 1
network 192.168.3.0 0.0.0.255 area 1
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 203.1.1.3
SPOKE3
interface Loopback0
ip address 192.168.4.6 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.6 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 199.1.1.1
ip nhrp map multicast 199.1.1.1
ip nhrp map 10.0.0.2 191.1.1.1
ip nhrp map multicast 191.1.1.1
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile liang
!
interface Ethernet0/0
ip address 204.1.1.1 255.255.255.0
half-duplex
router ospf 10
router-id 6.6.6.6
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 1
network 192.168.4.0 0.0.0.255 area 1
network 192.168.6.0 0.0.0.255 area 1
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 204.1.1.3
spoke3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 204.1.1.3 to network 0.0.0.0
C 204.1.1.0/24 is directly connected, Ethernet0/0
192.168.10.0/32 is subnetted, 1 subnets
O IA 192.168.10.1 [110/11112] via 10.0.0.2, 00:00:46, Tunnel0
192.168.4.0/32 is subnetted, 1 subnets
C 192.168.4.6 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
192.168.1.0/32 is subnetted, 1 subnets
O IA 192.168.1.1 [110/11112] via 10.0.0.1, 00:00:46, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/11112] via 10.0.0.4, 00:00:46, Tunnel0
192.168.3.0/32 is subnetted, 1 subnets
O 192.168.3.5 [110/11112] via 10.0.0.5, 00:00:46, Tunnel0 嚇一跳分支
S* 0.0.0.0/0 [1/0] via 204.1.1.3
hub1#show ip nhrp 下一跳解析協議
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:32:03, expire 01:27:56
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.1
10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:30:03, expire 01:29:56
Type: dynamic, Flags: authoritative unique registered
NBMA address: 202.1.1.1
10.0.0.5/32 via 10.0.0.5, Tunnel0 created 00:30:07, expire 01:29:52
Type: dynamic, Flags: authoritative unique registered
NBMA address: 203.1.1.1
10.0.0.6/32 via 10.0.0.6, Tunnel0 created 00:30:48, expire 01:29:11
Type: dynamic, Flags: authoritative unique registered
NBMA address: 204.1.1.1
hub1(config)#int tunnel 0 關閉hub1
hub1(config-if)#sh
hub1(config-if)#
*Mar 1 01:42:09.831: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 01:42:09.831: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
*Mar 1 01:42:09.835: %OSPF-5-ADJCHG: Process 10, Nbr 5.5.5.5 on Tunnel0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
*Mar 1 01:42:09.835: %OSPF-5-ADJCHG: Process 10, Nbr 6.6.6.6 on Tunnel0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
hub1(config-if)#
*Mar 1 01:42:09.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
hub1(config-if)#
*Mar 1 01:42:11.795: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
hub1(config-if)#
*Mar 1 01:42:11.875: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=199.1.1.1, prot=50, spi=0x5F017E4E(1593933390), srcaddr=202.1.1.1
hub1(config-if)#
*Mar 1 01:42:12.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
hub1(config-if)#int e0/0
hub1(config-if)#sh
hub1(config-if)#
*Mar 1 01:42:28.855: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
*Mar 1 01:42:29.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
再看分支路由表 仍能學到路由信息 實現高可用性
spoke3#show ip route ospf
192.168.10.0/32 is subnetted, 1 subnets
O IA 192.168.10.1 [110/11112] via 10.0.0.2, 00:00:02, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/11112] via 10.0.0.4, 00:00:02, Tunnel0
192.168.3.0/32 is subnetted, 1 subnets
O 192.168.3.5 [110/11112] via 10.0.0.5, 00:00:02, Tunnel0
我們在這實行的ospf協議,當然我們還可以用eigrp,不過要關閉水平分割,否則流量仍然要發送的中心站點,我們的努力就白費了