TOP说明:
1.R1为总部,R2为运营商,R3为分支1,R4为分支2
R1:
第一步:先配MGRENHRP
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco 启用NHRP认证,可循
ip nhrp map multicast dynamic 动态接受组播映射
ip nhrp network-id 10 所有设备需要配置相同的ID
tunnel source 12.1.1.1
tunnel mode gre multipoint 多点GRE模式
tunnel key 12345 建议配置,老版本不配置,tunnel不会起来
!
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R1#sh ip nhrp 检查spoke有没有到中心注册
第二步配动态路由协议
router eigrp 90
network 1.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
int tun 0
no ip split-horizon eigrp 90 关掉水平分割,不然R3只有R1的路由,没有R4的路由
no ip next-hop-self eigrp 90 关掉下一跳指向中心,只有R3去R4直接走R4,不从中心走
第三步配置ipsec
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
int tun 0
ip mtu 1400
tunnel protection ipsec profile cisco
R3:
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 172.16.1.1 12.1.1.1 所有spoke需要静态映射,隧道虚拟地址到公网地址
ip nhrp map multicast 12.1.1.1 所有spokes需要手动映射组播到hub的公网地址,便于后续spoke和hub之间建立动态路由协议
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1 配置nhrp server地址,spoke启动以后会这个服务器上注册自己的虚拟隧道到公网地址
tunnel source 23.1.1.3
tunnel mode gre multipoint
tunnel key 12345
!
interface Ethernet0/0
ip address 23.1.1.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
第二步配置动态路由协议
router eigrp 90
network 3.3.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
第三步配置ipsec
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set transform-set cisco
int tun 0
ip mtu 1400
tunnel protection ipsec profile cisco
