1.拓扑图

 



2.基本接口配置

R1:

R1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 202.14.1.1 255.255.255.252
R1(config-if)#no sh


R1(config-if)#int l0
R1(config-if)#ip add 192.168.1.1 255.255.255.0

R2:

R2#config t
R2(config)#int f0/0
R2(config-if)#ip add 202.24.1.1 255.255.255.252
R2(config-if)#no sh

R2(config)#int l0
R2(config-if)#ip add 192.168.2.1 255.255.255.0

R3:

R3(config)#int f0/0
R3(config-if)#ip add 202.34.1.1 255.255.255.0

R3(config)#int l0
R3(config-if)#ip add 192.168.3.1 255.255.255.0

R4:

R4(config)#int e0/0
R4(config-if)#ip add 202.14.1.2 255.255.255.252
R4(config-if)#no sh

R4(config)#int e0/1
R4(config-if)#ip add 202.24.1.2 255.255.255.252

R4(config-if)#int e0/2
R4(config-if)#ip add 202.34.1.2 255.255.255.252

3.路由配置

R1(config)#ip route 0.0.0.0 0.0.0.0 202.14.1.2
R2(config)#ip route 0.0.0.0 0.0.0.0 202.24.1.2
R3(config)#ip route 0.0.0.0 0.0.0.0 202.34.1.2

5.mGRE、NHRP及动态路由配置

R1:

R1(config)#int tunnel 0
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel source f0/0
R1(config-if)#tunnel key 12345

R1(config-if)#ip nhrp network-id 10
R1(config-if)#ip nhrp authentication cisco
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp redirec

R1(config)#int tunnel 0
R1(config-if)#ip ospf cost 255
R1(config)#router ospf 1
R1(config-router)#network 192.168.1.0 0.0.0.255 a 0
R1(config-router)#network 172.16.1.0 0.0.0.255 a 0

备注:为了确保hub节点为OSPF的DR,,也可以设置hub节点的高priority值,或在各个spoke节点tunnel接口设置低优先级:ip ospf prio 0。



R2:

R2(config)#int tunn 0
R2(config-if)#ip add 172.16.1.2 255.255.255.0
R2(config-if)#tun mode gre multipoint
R2(config-if)#tunnel source f0/0
R2(config-if)#tunne key 12345

R2(config-if)#ip nhrp network-id 10
R2(config-if)#ip nhrp authentication cisco
R2(config-if)#ip nhrp map 172.16.1.1 202.14.1.1
R2(config-if)#ip nhrp map multicast 202.14.1.1
R2(config-if)#ip nhrp nhs 172.16.1.1
R2(config-if)#ip nhrp shortcut

R2(config)#router ospf 1
R2(config-router)#network 192.16.2.0 0.0.0.255 a 0
R2(config-router)#network 172.16.1.0 0.0.0.255 a 0

R3:

R3(config)#int tunnel 0
R3(config-if)#ip add 192.168.0.3 255.255.255.0
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel source f 0/0
R3(config-if)#tunnel key 12345

R3(config-if)#ip nhrp network-id 10
R3(config-if)#ip nhrp authentication cisco
R3(config-if)#p nhrp map 172.16.1.1 202.14.1.1
R3(config-if)#ip nhrp map multicast 202.14.1.1
R3(config-if)#ip nhrp nhs 172.16.1.1
R3(config-if)#ip nhrp shortcut

R3(config)#router ospf 1
R3(config-router)#network 192.168.3.0 0.0.0.255 a 0
R3(config-router)#network 172.16.1.0 0.0.0.255 a 0

6.验证mGRE、NHRP及动态路由:

A.mGRE
R1#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/96/120 ms
R1#ping 172.16.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/101/164 ms

B.nhrp

R1#show ip nhrp
R1#show ip nhrp
172.16.1.2/32 via 172.16.1.2
   Tunnel0 created 00:54:41, expire 01:05:18
   Type: dynamic, Flags: unique registered used
   NBMA address: 202.24.1.1
172.16.1.3/32 via 172.16.1.3
   Tunnel0 created 00:39:39, expire 01:20:20
   Type: dynamic, Flags: unique registered used
   NBMA address: 202.34.1.1

C.ospf

R1#show ip ospf nei
R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.2.1       1   FULL/DROTHER    00:00:35    172.16.1.2      Tunnel0
192.168.3.1       1   FULL/BDR        00:00:35    172.16.1.3      Tunnel0
R1#



7.配置IPSec ***

R1、R2、R3配置相同

A.配置第一阶段策略:
(config)#crypto isakmp policy 10
(config-isakmp)#group 2
(config-isakmp)#ha md
(config-isakmp)#en de
(config-isakmp)#au pr
(config-isakmp)#exit
(config)#crypto isakmp key 0 cisco address 0.0.0.0

B.配置第二阶段策略:
(config)#crypto ipsec transform-set transet esp-des esp-md5-hmac
(cfg-crypto-trans)#mode transport

C.配置Ipsec Profile,关联转换集
(config)#crypto ipsec profile myprofile
(ipsec-profile)#set transform-set transet

D.tunnel接口调用profile:

(config)#int tunnel 0
(config-if)#tunnel protection ipsec profile myprofile

8.测试***

R2#traceroute 192.168.3.1 source 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.3.1

  1 172.16.1.3 180 msec *  168 msec

第一跳直接到达R3,说明spoke之间IPSEC流量不需经过hub,从nhrp信息可以看出为什么可以节点直接可以直接建立ipsec。

R1#show ip nhrp
172.16.1.2/32 via 172.16.1.2
   Tunnel0 created 00:39:39, expire 01:42:19
   Type: dynamic, Flags: unique registered
   NBMA address: 202.24.1.1
172.16.1.3/32 via 172.16.1.3
   Tunnel0 created 00:39:35, expire 01:42:21
   Type: dynamic, Flags: unique registered
   NBMA address: 202.34.1.1
R1#

R2#show ip nhrp
172.16.1.1/32 via 172.16.1.1
   Tunnel0 created 00:39:15, never expire
   Type: static, Flags: used
   NBMA address: 202.14.1.1
172.16.1.3/32 via 172.16.1.3
   Tunnel0 created 00:29:53, expire 01:54:03
   Type: dynamic, Flags: router implicit
   NBMA address: 202.34.1.1
192.168.2.0/24 via 172.16.1.2
   Tunnel0 created 00:05:56, expire 01:54:03
   Type: dynamic, Flags: router unique local
   NBMA address: 202.24.1.1
    (no-socket)
192.168.3.0/24 via 172.16.1.3
   Tunnel0 created 00:29:50, expire 01:30:09
   Type: dynamic, Flags: router
   NBMA address: 202.34.1.1

R3#show ip nhrp
172.16.1.1/32 via 172.16.1.1
   Tunnel0 created 00:39:45, never expire
   Type: static, Flags: used
   NBMA address: 202.14.1.1
172.16.1.2/32 via 172.16.1.2
   Tunnel0 created 00:30:23, expire 01:29:36
   Type: dynamic, Flags: router implicit
   NBMA address: 202.24.1.1
192.168.2.0/24 via 172.16.1.2
   Tunnel0 created 00:06:30, expire 01:53:29
   Type: dynamic, Flags: router
   NBMA address: 202.24.1.1
192.168.3.0/24 via 172.16.1.3
   Tunnel0 created 00:30:23, expire 01:29:36
   Type: dynamic, Flags: router unique local
   NBMA address: 202.34.1.1
    (no-socket)