R1(分支站点)
|
R2(中心站点)
|
R3(分支站点)
|
预配
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
ip address 10.1.123.1 255.255.255.0
|
预配
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0/0
ip address 10.1.123.2 255.255.255.0
|
预配
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface FastEthernet0/0
ip address 10.1.123.3 255.255.255.0
|
配置中心站点的MGRE+NHRP:步骤2
interface Tunnel0
ip address 100.1.123.1 255.255.255.0
ip nhrp authentication cisco (由于NHRP服务端使用认证,分支也必须使用)
ip nhrp map 100.1.123.2 10.1.123.2 (要到NHRP中心站点去注册,必须要有中心站点的手动影射,将GRE多点地址和中心站点的物理地址做影射)
ip nhrp map multicast 10.1.123.2 (将组播流量转成单播,送到中心站点去,写中心站点的物理地址)
ip nhrp network-id 10 (必须和中心站点相同)
ip nhrp nhs 100.1.123.2 (分支站点需要知道NHS的服务器的地址,要写GRE的地址)
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123 (由于中心点写了,分支也要写)
|
配置中心站点的MGRE+NHRP:步骤1
interface Tunnel0 (直接启动tunnel0的话,默认是点对点的tunnel)
ip address 100.1.123.2 255.255.255.0
ip nhrp authentication cisco (用于NHRP认证)
ip nhrp map multicast dynamic (比如动态路由协议大多用组播建立邻居,那么就需要把组播地址也进行影射,由于中心站点并不知道分支站点的物理地址,所以通过动态学习的方式学习,要在起NHRP注册前敲,如果出现问题要在中心点shutdown和no shutdown)
ip nhrp network-id 10 (启动NHRP,这个ID相当与起了NHRP的进程,每个分支和中心点要起相同的ID)
tunnel source FastEthernet0/0 (多点GRE的特点是有源没有目的的)
tunnel mode gre multipoint (将tunnel模式改成多点GRE)
tunnel key 123 (在12.3的老版本的时候不敲的话tunnel是不会up的,在12.4的时候是没有关系的,可以不敲。作用在于在一个设备上可以建立多个多点GRE,是用来区分使用,新版本可选)
|
配置中心站点的MGRE+NHRP:步骤3
这个分支站点的配置和R1一样
interface Tunnel0
ip address 100.1.123.3 255.255.255.0
ip nhrp authentication cisco
ip nhrp map 100.1.123.2 10.1.123.2
ip nhrp map multicast 10.1.123.2
ip nhrp network-id 10
ip nhrp nhs 100.1.123.2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
|
验证NHRP是否成功
R1#show ip nhrp
100.1.123.2/32 via 100.1.123.2, Tunnel0 created 00:21:27, never expire
Type: static, Flags: nat used
NBMA address: 10.1.123.2
|
验证NHRP是否成功
R2#show ip nhrp
100.1.123.1/32 via 100.1.123.1, Tunnel0 created 00:17:04, expire 01:42:55
Type: dynamic, Flags: unique nat registered
NBMA address: 10.1.123.1
100.1.123.3/32 via 100.1.123.3, Tunnel0 created 00:06:14, expire 01:53:45
Type: dynamic, Flags: unique nat registered
NBMA address: 10.1.123.3
|
验证NHRP是否成功
R3#show ip nhrp
100.1.123.2/32 via 100.1.123.2, Tunnel0 created 00:09:53, never expire
Type: static, Flags: nat used
NBMA address: 10.1.123.2
|
测试多点GRE连通性
R1#ping 100.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.123.3, timeout is 2 seconds:
!.!!!
(第一个包是由中转,第二个包因为要解析,所以会丢一个包)
|
|
测试多点GRE连通性
R3#ping 100.1.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.123.1, timeout is 2 seconds:
!!!!!
|
配置动态路由协议
router eigrp 100
network 1.1.1.1 0.0.0.0
network 100.1.123.0 0.0.0.255
no auto-summary
注意宣告多点GRE的地址,不宣告物理地址
|
配置动态路由协议
router eigrp 100
network 2.2.2.2 0.0.0.0
network 100.1.123.0 0.0.0.255
no auto-summary
注意宣告多点GRE的地址,不宣告物理地址
|
配置动态路由协议
router eigrp 100
network 3.3.3.3 0.0.0.0
network 100.1.123.0 0.0.0.255
no auto-summary
注意宣告多点GRE的地址,不宣告物理地址
|
验证:
show ip eigrp neighbors
学到中心的邻居
Show ip rotute
学到中心点的路由
|
验证:
show ip eigrp neighbors
学到两个分支站点的邻居
Show ip rotute
学到所有路由
|
验证:
show ip eigrp neighbors
学到中心的邻居
Show ip rotute
学到中心点的路由
|
|
由于在tunnel下有水平分割的问题,所以要在tunnel口下关闭eigrp的水平分割问题,让两个分支站点学到相互的路由
interface Tunnel0
no ip split-horizon eigrp 100
|
|
验证:
R1#show ip route
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/297372416] via 100.1.123.2, 00:14:37, Tunnel0
100.0.0.0/24 is subnetted, 1 subnets
C 100.1.123.0 is directly connected, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/310172416] via 100.1.123.2, 00:02:10, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.123.0 is directly connected, FastEthernet0/0
|
|
验证:
R3#show ip route
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/310172416] via 100.1.123.2, 00:03:23, Tunnel0
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/297372416] via 100.1.123.2, 00:14:48, Tunnel0
100.0.0.0/24 is subnetted, 1 subnets
C 100.1.123.0 is directly connected, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.123.0 is directly connected, FastEthernet0/0
|
|
在上步中发现,两个分支站点还是通过中心点转发路由,要解决这个问题
interface Tunnel0
no ip next-hop-self eigrp 100
|
|
验证:
R1#show ip route
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/297372416] via 100.1.123.2, 00:01:49, Tunnel0
100.0.0.0/24 is subnetted, 1 subnets
C 100.1.123.0 is directly connected, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/310172416] via 100.1.123.3, 00:01:47, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.123.0 is directly connected, FastEthernet0/0
|
|
验证:
R3#show ip route
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/310172416] via 100.1.123.1, 00:02:17, Tunnel0
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/297372416] via 100.1.123.2, 00:02:17, Tunnel0
100.0.0.0/24 is subnetted, 1 subnets
C 100.1.123.0 is directly connected, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.123.0 is directly connected, FastEthernet0/0
|
配置IPSEC×××
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof
set transform-set cisco
|
配置IPSEC×××
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof
set transform-set cisco
|
配置IPSEC×××
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof
set transform-set cisco
|
接口调用
interface Tunnel0
ip mtu 1400 (隧道默认是1500,但是从物理口出去,物理口也是1500,但是由于会加秘会多几个字节,MTU改成1400可以防止分片)
tunnel protection ipsec profile prof
|
接口调用
interface Tunnel0
ip mtu 1400
tunnel protection ipsec profile prof
|
接口调用
interface Tunnel0
ip mtu 1400
tunnel protection ipsec profile prof
|
验证
R1#ping 3.3.3.3 so lo 0 re 100
|
验证
Show ip eigrp 100 nei
Show crypto ipsec sa
|
|
|
|
|
邮箱:1395298216@qq.com