Vừa xử lý xong 1 bài toán thường gặp trong thực tế đó là vấn đề redundancy giữa 2 site (hoặc nhiều site, mô hình Hub-and-Spoke) dùng leaseline hoặc xDSL, post lên để các bạn tham khảo và cùng mổ xẻ để tối ưu hơn:

mô hình:

mô tả yêu cầu bài toán: công ty ABC có 2 site,

site 1 bao gồm: R1 là gateway router, R1 có 2 kết nối leaseline đến 2 ISP khác nhau (để dự phòng), R11 giả lập PC trong mạng của site 1
site 2 bao gồm: R2 là gateway router, R2 có 2 kết nối leaseline đến 2 ISP khác nhau, R21 giả lập PC trong mạng của site 2
yêu cầu: cấu hình VPN giữa 2 site nhằm bảo đảm tính an toàn cho dữ liệu trao đổi giữa 2 site, vì tính chất tối quan trọng của việc liên lạc giữa 2 site, đảm bảo trong trường hợp nếu một kết nối tại mỗi site down liên lạc giữa 2 site vấn đảm bảo.

Tuy nhiên trong cấu hình trên vẫn chưa giải quyết triệt để vấn đề!

cấu hình:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!ROUTER R1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R1#sh run
Building configuration...

Current configuration : 1931 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 12.12.12.1 source-interface FastEthernet1/0
timeout 2000
threshold 1000
frequency 2
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 112.112.112.1 source-interface FastEthernet2/0
timeout 2000
threshold 1000
frequency 2
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 12.12.12.1
crypto isakmp key cisco address 112.112.112.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map MAP1 1 ipsec-isakmp
set peer 12.12.12.1
set transform-set IPSEC
match address 100
!
crypto map MAP2 1 ipsec-isakmp
set peer 112.112.112.1
set transform-set IPSEC
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 150.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 11.11.11.1 255.255.255.0
duplex auto
speed auto
crypto map MAP1
!
interface FastEthernet2/0
ip address 111.111.111.1 255.255.255.0
duplex auto
speed auto
crypto map MAP2
!
ip route 0.0.0.0 0.0.0.0 11.11.11.2 track 1
ip route 0.0.0.0 0.0.0.0 111.111.111.2 track 2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end


!!!!!!!!!!!!!!!!!!!ROUTER R11!!!!!!!!!!!!!!!!!!!!!!!
R11#sh run
Building configuration...

Current configuration : 676 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R11
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 150.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 150.1.1.1
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end


!!!!!!!!!!!!!!!!!!!!!!ROUTER R2!!!!!!!!!!!!!!!!!!!!!!
R2#sh run
Building configuration...

Current configuration : 1931 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 11.11.11.1 source-interface FastEthernet1/0
timeout 2000
threshold 1000
frequency 2
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 111.111.111.1 source-interface FastEthernet2/0
timeout 2000
threshold 1000
frequency 2
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 11.11.11.1
crypto isakmp key cisco address 111.111.111.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map MAP1 1 ipsec-isakmp
set peer 11.11.11.1
set transform-set IPSEC
match address 100
!
crypto map MAP2 1 ipsec-isakmp
set peer 111.111.111.1
set transform-set IPSEC
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 150.1.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 12.12.12.1 255.255.255.0
duplex auto
speed auto
crypto map MAP1
!
interface FastEthernet2/0
ip address 112.112.112.1 255.255.255.0
duplex auto
speed auto
crypto map MAP2
!
ip route 0.0.0.0 0.0.0.0 12.12.12.2 track 1
ip route 0.0.0.0 0.0.0.0 112.112.112.2 track 2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 150.1.2.0 0.0.0.255 150.1.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end


!!!!!!!!!!!!!!!!!!!!!!!ROUTER R21!!!!!!!!!!!!!!!!!!!!!!!!
R21#sh run
Building configuration...

Current configuration : 676 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R21
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 150.1.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 150.1.2.1
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end



!!!!!!!!!!!!!!!!!!!!INTERNET ROUTER!!!!!!!!!!!!!!!!!!
INTERNET#sh run
Building configuration...

Current configuration : 1370 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname INTERNET
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
no switchport
ip address 11.11.11.2 255.255.255.0
!
interface FastEthernet1/2
no switchport
ip address 111.111.111.2 255.255.255.0
!
interface FastEthernet1/3
no switchport
ip address 12.12.12.2 255.255.255.0
!
interface FastEthernet1/4
no switchport
ip address 112.112.112.2 255.255.255.0
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
!
!
ip http server
no ip http secure-server
!
access-list 100 deny ip any any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
login
!
!
end