DMVPN with NHRP-网络通信专区

DMVPN with NHRP

作者：互联网编辑：王炯 2007-06-26 00:00

hostname hub
!

crypto isakmp policy 20
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto ipsec profile test
set transform-set test
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile test
!
interface Ethernet0/0
ip address 172.17.0.1 255.255.255.0
half-duplex
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0
no auto-summary

hub#sh ip nhrp
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:45:18, expire 00:04:49
Type: dynamic, Flags: authoritative unique registered
NBMA address: 172.17.0.2
10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:12:21, expire 00:03:19
Type: dynamic, Flags: authoritative unique registered
NBMA address: 172.17.0.3

hub#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

172.17.0.0/24 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback0
D 192.168.2.0/24 [90/297372416] via 10.0.0.2, 00:11:31, Tunnel0
D 192.168.3.0/24 [90/297372416] via 10.0.0.3, 00:10:50, Tunnel0

hub#sh crypto map
Crypto Map "Tunnel0-head-0" 1 ipsec-isakmp
Profile name: test
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
test,
}

Crypto Map "Tunnel0-head-0" 2 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.0.2
Extended IP access list
access-list permit gre host 172.17.0.1 host 172.17.0.2
Current peer: 172.17.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
test,
}

Crypto Map "Tunnel0-head-0" 3 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.0.3
Extended IP access list
access-list permit gre host 172.17.0.1 host 172.17.0.3
Current peer: 172.17.0.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
test,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
============================================
hostname r2
!
crypto isakmp policy 20
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map test local-address Ethernet0/0
crypto map test 10 ipsec-isakmp
set peer 172.17.0.1
set security-association level per-host
set transform-set test
match address 101
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
tunnel source Ethernet0/0
tunnel destination 172.17.0.1
tunnel key 100000
crypto map test
!
interface Ethernet0/0
ip address 172.17.0.2 255.255.255.0
half-duplex
crypto map test
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.2.0
no auto-summary
!
access-list 101 permit gre host 172.17.0.2 host 172.17.0.1

r2#sh ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:40:46, never expire
Type: static, Flags: authoritative
NBMA address: 172.17.0.1

r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

172.17.0.0/24 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
D 192.168.1.0/24 [90/297372416] via 10.0.0.1, 00:13:45, Tunnel0
C 192.168.2.0/24 is directly connected, Loopback0
D 192.168.3.0/24 [90/310172416] via 10.0.0.1, 00:13:06, Tunnel0

r2#sh crypto map
Crypto Map: "test" idb: Ethernet0/0 local address: 172.17.0.2

Crypto Map "test" 10 ipsec-isakmp
Peer = 172.17.0.1
Extended IP access list 101
access-list 101 permit gre any host 172.17.0.1
Aggregation level: per-host
Current peer: 172.17.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
test,
}
Interfaces using crypto map test:
Tunnel0
Ethernet0/0

=================================================
hostname r3
!
crypto isakmp policy 20
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto ipsec profile test
set transform-set test
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
ip address 10.0.0.3 255.255.255.0
ip mtu 1436
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
tunnel source Ethernet0/0
tunnel destination 172.17.0.1
tunnel key 100000
tunnel protection ipsec profile test
!
interface Ethernet0/0
ip address 172.17.0.3 255.255.255.0
half-duplex
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.3.0
no auto-summary
!
r3#sh ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:04:58, never expire
Type: static, Flags: authoritative
NBMA address: 172.17.0.1

r3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

172.17.0.0/24 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
D 192.168.1.0/24 [90/297372416] via 10.0.0.1, 00:01:46, Tunnel0
D 192.168.2.0/24 [90/310172416] via 10.0.0.1, 00:01:46, Tunnel0
C 192.168.3.0/24 is directly connected, Loopback0

r3#sh cry map
Crypto Map "Tunnel0-head-0" 1 ipsec-isakmp
Profile name: test
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
test,
}

Crypto Map "Tunnel0-head-0" 2 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.0.1
Extended IP access list
access-list permit gre host 172.17.0.3 host 172.17.0.1
Current peer: 172.17.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
test,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0

r3#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms

r3#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 ms

转载地址：http://www.net130.com/CMS/Pub/Tech/tech_zh/2005_08_17_63668.htm

关注我们