拓扑参考P2
¶ 配置
¶ HUB
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile ipsecprof
set transform-set cisco
!
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
ip mtu 1492
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.200 61.128.1.200
ip nhrp map multicast 61.128.1.200
ip nhrp network-id 10
ip nhrp redirect
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet1/0
ip address 61.128.1.100 255.255.255.0
duplex full
!
interface FastEthernet2/0
ip address 192.168.100.1 255.255.255.0
duplex full
!
ip route 0.0.0.0 0.0.0.0 61.128.1.10
ip route 192.168.1.1 255.255.255.255 172.16.1.1
ip route 192.168.2.1 255.255.255.255 172.16.1.2
ip route 192.168.3.1 255.255.255.255 172.16.1.3
## spoke
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile ipsecprof
set transform-set cisco
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1492
ip nhrp authentication cisco
ip nhrp map 172.16.1.100 61.128.1.100
ip nhrp map multicast 61.128.1.100
ip nhrp map 172.16.1.200 61.128.1.200
ip nhrp map multicast 61.128.1.200
ip nhrp network-id 10
ip nhrp nhs 172.16.1.100
ip nhrp nhs 172.16.1.200
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex full
!
ip route 0.0.0.0 0.0.0.0 202.100.1.10
ip route 192.168.0.0 255.255.0.0 172.16.1.100
ip route 192.168.0.0 255.255.0.0 172.16.1.200
!
注意:
ip nhrp map multicast dynamic**|[StaticIP]** 这条命令的目的和帧中继配置中的“frame-relay map…broadcast”一样。指定了将要接收路由器发起的多播和广播流量的目的地。Spokes映射多播地址到Hub的静态的NBMA IP地址(物理接口地址),但是Hub映射多播数据包到“dynamic”地址,这样意味着Hub会复制多播数据包到所有的通过NHRP注册过的Spoke,多播地址映射是用来保证动态路由协议建立邻居和交换更新数据包的,如果不使用动态路由协议,则可以不用配置。
ip nhrp shortcut:在配置shortcut场景DSVPN时,总部节点转发同一个NHRP域的分支流量时会向源分支节点发送nhrp redirect报文,此时需在分支节点上需要使能nhrp shortcut功能,在收到总部节点发送的nhrp redirect报文之后向目的分支节点发送NHRP地址解析请求,建立隧道进行分支间直接通信。
验证
