Tweet
MÔ HÌNH:
Hình3.3: Mô hình Lab DMVPN
Các bước thực hiện cho cấu hình:
Bước 1: Cấu hình cho các Router thấy nhau
Spoke1:
spoke1(config)# interface f0/0
spoke1(config-if)# ip address 172.30.1.1 255.255.255.0
spoke1(config-if)# no shutdown
spoke1(config)# interface f0/1
spoke1(config-if)# ip address 192.168.1.1 255.255.255.0
spoke1(config-if)# no shutdown
spoke1(config-if)# exit
spoke1(config)# ip route 0.0.0.0 0.0.0.0 172.30.1.2
Spoke2:
Spoke2(config)# interface f0/0
Spoke2(config-if)# ip address 172.30.3.1 255.255.255.0
Spoke2(config-if)# no shutdown
Spoke2(config)# interface f0/1
Spoke2(config-if)# ip address 192.168.2.1 255.255.255.0
Spoke2(config-if)# no shutdown
Spoke2(config-if)# exit
Spoke2(config)# ip route 0.0.0.0 0.0.0.0 172.30.3.2
Hub
hub(config)# interface f0/0
hub(config-if)# ip address 172.30.2.1 255.255.255.0
hub(config-if)# no shutdown
hub(config)# interface loop back 0
hub(config-if)# ip address 192.168.0.1 255.255.255.0
hub(config-if)# exit
hub(config)# ip route 0.0.0.0 0.0.0.0 172.30.2.2
Thực hiện cấu hình đối với spoke1
Bước 2: Cấu hình phase 1 cho spoke1
Spoke1(config)# crypto isakmp enable
Spoke1(config)# crypto isakmp policy 1
Spoke1(config-isakmp)# authentication pre-share
Spoke1(config-isakmp)# hash md5
Spoke1(config-isakmp)#encryption des
Spoke1(config-isakmp)# exit
Spoke1(config)# crypto isakmp key cisco47 address 172.30.2.1
Bước 3: Cấu hình DMVPN cho spoke1
Spoke1(config)# interface tunnel 0
Spoke1(config-if)# ip address 10.0.0.2 255.255.255.0
Spoke1(config-if)# ip mtu 1400
Spoke1(config-if)# ip hold-time eigrp 1 35
Spoke1(config-if)# no ip next-hope-self eigrp 1
Spoke1(config-if)#ip nhrp authentication cisco47
Spoke1(config-if)# ip nhrp map 10.0.0.1 172.30.2.1
Spoke1(config-if)# ip map multicast 172.30.2.1
Spoke1(config-if)# ip nhrp nhs 10.0.0.1
Spoke1(config-if)# ip nhrp network-id 100
Spoke1(config-if)# no ip split-horizon eigrp 1
Spoke1(config-if)# tunnel source f0/0
Spoke1(config-if)# tunnel key 1000
Spoke1(config-if)# tunnel mode gre multipoint
Spoke1(config-if)# tunnel protection ipsec profile dmvpn
Bước 4: Cấu hình phase 2 cho spoke1
spoke1(config)# crypto ipsec transform-set myset esp-des
spoke1(config)# crypto ipsec profile dmvpn
spoke1(config)# crypto map dmvpn local-address f0/0
spoke1(config)# crypto map dmvpn 10 ipsec-isakmp
spoke1(config-crypto-map)# set peer 172.30.2.1
spoke1(config-crypto-map)# set security-association level per-host
spoke1(config-crypto-map)# set transform-set myset
spoke1(config-crypto-map)# match address 101
spoke1(config-crypto-map)#exit
spoke1(config)# access-list 101 permit gre 172.30.1.0 0.0.0.255 host 172.30.2.1
Bước 5: Định tuyến dùng giao thức EIGRP
spoke1(config)# router eigrp 1
spoke1(config-router)# network 10.0.0.0 0.0.0.255
spoke1(config-router)# network 192.168.1.0 0.0.0.255
spoke1(config-router)# no auto-summary
Thực hiện cấu hình đối với spoke2
Bước 2: Cấu hình phase 1 cho spoke2
Spoke2(config)# crypto isakmp enable
Spoke2(config)# crypto isakmp policy 1
Spoke2(config-isakmp)# authentication pre-share
Spoke2(config-isakmp)# hash md5
Spoke2(config-isakmp)# exit
Spoke2(config)# crypto isakmp key cisco47 address 172.30.2.1
Bước 3: Cấu hình DMVPN cho spoke2
Spoke2(config)# interface tunnel 0
Spoke2(config-if)# ip address 10.0.0.3 255.255.255.0
Spoke2(config-if)# ip mtu 1400
Spoke2(config-if)#ip nhrp authentication cisco47
Spoke2(config-if)# ip nhrp map 10.0.0.1 172.30.2.1
Spoke2(config-if)# ip nhrp hold-time 600
Spoke2(config-if)# ip nhrp nhs 10.0.0.1
Spoke2(config-if)# no ip next-hope-self eigrp 1
Spoke2(config-if)# ip map multicast 172.30.2.1
Spoke2(config-if)# ip nhrp network-id 100
Spoke2(config-if)# tunnel source f0/0
Spoke2(config-if)# tunnel key 1000
Spoke2(config-if)# tunnel mode gre multipoint
Spoke2(config-if)# tunnel protection ipsec profile dmvpn
Bước 4: Cấu hình phase 2 cho spoke2
spoke2(config)# crypto ipsec transform-set myset esp-des
spoke2(config)# crypto map dmvpn local-address f0/0
spoke2(config)# crypto map dmvpn 10 ipsec-isakmp
spoke2(config-crypto-map)# set peer 172.30.2.1
spoke2(config-crypto-map)# set security-association level per-host
spoke2(config-crypto-map)# set transform-set myset
spoke2(config-crypto-map)# match address 101
spoke2(config-crypto-map)#exit
spoke2(config)# access-list 101 permit gre 172.30.3.0 0.0.0.255 host 172.30.2.1
Bước 5: Định tuyến dùng giao thức EIGRP
Spoke2(config)# router eigrp 1
Spoke2(config-router)# network 10.0.0.0 0.0.0.255
Spoke2(config-router)# network 192.168.2.0 0.0.0.255
Spoke2(config-router)# no auto-summary
Thực hiện cấu hình cho HUB
Hub(config)# crypto isakmp enable
Hub(config)# crypto isakmp policy 1
Hub(config- isakmp)# authentication pre-share
Hub(config- isakmp)# hash md5
Hub(config- isakmp)#encryption des
Hub(config- isakmp)#exit
Hub(config)# crypto isakmp key cisco47 address 0.0.0.0
Hub(config)# crytpo ipsec transform-set myset esp-des
# Tạo ipsec profile
Hub(config)# crypto ipsec profile dmvpn
Hub(config-profile)# set transform-set myset
# Tạo tunnel
Hub(config)# interface tunnel 0
Hub(config-if)# ip address 10.0.0.1 255.255.255.0
Hub(config-if)# ip mtu 600
Hub(config-if)# ip nhrp authentication cisco47
Hub(config-if)# ip nhrp multicast dynamic
Hub(config-if)# ip nhrp hold-time 600
Hub(config-if)# tunnel source f0/0
Hub(config-if)# tunnel mode gre multipoint
Hub(config-if)# tunnel key 1000
Hub(config-if)# tunnel protection ipsec profile dmvpn
# Định tuyến dùng giao thức EIGRP
Hub(config)# router eigrp 1
Hub(config-router)# network 10.0.0.0 0.0.0.255
Hub(config-router)# network 192.168.0.0 0.0.0.255
Hub(config-router)# no auto-summary
Hình3.3: Mô hình Lab DMVPN
Các bước thực hiện cho cấu hình:
Bước 1: Cấu hình cho các Router thấy nhau
Spoke1:
spoke1(config)# interface f0/0
spoke1(config-if)# ip address 172.30.1.1 255.255.255.0
spoke1(config-if)# no shutdown
spoke1(config)# interface f0/1
spoke1(config-if)# ip address 192.168.1.1 255.255.255.0
spoke1(config-if)# no shutdown
spoke1(config-if)# exit
spoke1(config)# ip route 0.0.0.0 0.0.0.0 172.30.1.2
Spoke2:
Spoke2(config)# interface f0/0
Spoke2(config-if)# ip address 172.30.3.1 255.255.255.0
Spoke2(config-if)# no shutdown
Spoke2(config)# interface f0/1
Spoke2(config-if)# ip address 192.168.2.1 255.255.255.0
Spoke2(config-if)# no shutdown
Spoke2(config-if)# exit
Spoke2(config)# ip route 0.0.0.0 0.0.0.0 172.30.3.2
Hub
hub(config)# interface f0/0
hub(config-if)# ip address 172.30.2.1 255.255.255.0
hub(config-if)# no shutdown
hub(config)# interface loop back 0
hub(config-if)# ip address 192.168.0.1 255.255.255.0
hub(config-if)# exit
hub(config)# ip route 0.0.0.0 0.0.0.0 172.30.2.2
Thực hiện cấu hình đối với spoke1
Bước 2: Cấu hình phase 1 cho spoke1
Spoke1(config)# crypto isakmp enable
Spoke1(config)# crypto isakmp policy 1
Spoke1(config-isakmp)# authentication pre-share
Spoke1(config-isakmp)# hash md5
Spoke1(config-isakmp)#encryption des
Spoke1(config-isakmp)# exit
Spoke1(config)# crypto isakmp key cisco47 address 172.30.2.1
Bước 3: Cấu hình DMVPN cho spoke1
Spoke1(config)# interface tunnel 0
Spoke1(config-if)# ip address 10.0.0.2 255.255.255.0
Spoke1(config-if)# ip mtu 1400
Spoke1(config-if)# ip hold-time eigrp 1 35
Spoke1(config-if)# no ip next-hope-self eigrp 1
Spoke1(config-if)#ip nhrp authentication cisco47
Spoke1(config-if)# ip nhrp map 10.0.0.1 172.30.2.1
Spoke1(config-if)# ip map multicast 172.30.2.1
Spoke1(config-if)# ip nhrp nhs 10.0.0.1
Spoke1(config-if)# ip nhrp network-id 100
Spoke1(config-if)# no ip split-horizon eigrp 1
Spoke1(config-if)# tunnel source f0/0
Spoke1(config-if)# tunnel key 1000
Spoke1(config-if)# tunnel mode gre multipoint
Spoke1(config-if)# tunnel protection ipsec profile dmvpn
Bước 4: Cấu hình phase 2 cho spoke1
spoke1(config)# crypto ipsec transform-set myset esp-des
spoke1(config)# crypto ipsec profile dmvpn
spoke1(config)# crypto map dmvpn local-address f0/0
spoke1(config)# crypto map dmvpn 10 ipsec-isakmp
spoke1(config-crypto-map)# set peer 172.30.2.1
spoke1(config-crypto-map)# set security-association level per-host
spoke1(config-crypto-map)# set transform-set myset
spoke1(config-crypto-map)# match address 101
spoke1(config-crypto-map)#exit
spoke1(config)# access-list 101 permit gre 172.30.1.0 0.0.0.255 host 172.30.2.1
Bước 5: Định tuyến dùng giao thức EIGRP
spoke1(config)# router eigrp 1
spoke1(config-router)# network 10.0.0.0 0.0.0.255
spoke1(config-router)# network 192.168.1.0 0.0.0.255
spoke1(config-router)# no auto-summary
Thực hiện cấu hình đối với spoke2
Bước 2: Cấu hình phase 1 cho spoke2
Spoke2(config)# crypto isakmp enable
Spoke2(config)# crypto isakmp policy 1
Spoke2(config-isakmp)# authentication pre-share
Spoke2(config-isakmp)# hash md5
Spoke2(config-isakmp)# exit
Spoke2(config)# crypto isakmp key cisco47 address 172.30.2.1
Bước 3: Cấu hình DMVPN cho spoke2
Spoke2(config)# interface tunnel 0
Spoke2(config-if)# ip address 10.0.0.3 255.255.255.0
Spoke2(config-if)# ip mtu 1400
Spoke2(config-if)#ip nhrp authentication cisco47
Spoke2(config-if)# ip nhrp map 10.0.0.1 172.30.2.1
Spoke2(config-if)# ip nhrp hold-time 600
Spoke2(config-if)# ip nhrp nhs 10.0.0.1
Spoke2(config-if)# no ip next-hope-self eigrp 1
Spoke2(config-if)# ip map multicast 172.30.2.1
Spoke2(config-if)# ip nhrp network-id 100
Spoke2(config-if)# tunnel source f0/0
Spoke2(config-if)# tunnel key 1000
Spoke2(config-if)# tunnel mode gre multipoint
Spoke2(config-if)# tunnel protection ipsec profile dmvpn
Bước 4: Cấu hình phase 2 cho spoke2
spoke2(config)# crypto ipsec transform-set myset esp-des
spoke2(config)# crypto map dmvpn local-address f0/0
spoke2(config)# crypto map dmvpn 10 ipsec-isakmp
spoke2(config-crypto-map)# set peer 172.30.2.1
spoke2(config-crypto-map)# set security-association level per-host
spoke2(config-crypto-map)# set transform-set myset
spoke2(config-crypto-map)# match address 101
spoke2(config-crypto-map)#exit
spoke2(config)# access-list 101 permit gre 172.30.3.0 0.0.0.255 host 172.30.2.1
Bước 5: Định tuyến dùng giao thức EIGRP
Spoke2(config)# router eigrp 1
Spoke2(config-router)# network 10.0.0.0 0.0.0.255
Spoke2(config-router)# network 192.168.2.0 0.0.0.255
Spoke2(config-router)# no auto-summary
Thực hiện cấu hình cho HUB
Hub(config)# crypto isakmp enable
Hub(config)# crypto isakmp policy 1
Hub(config- isakmp)# authentication pre-share
Hub(config- isakmp)# hash md5
Hub(config- isakmp)#encryption des
Hub(config- isakmp)#exit
Hub(config)# crypto isakmp key cisco47 address 0.0.0.0
Hub(config)# crytpo ipsec transform-set myset esp-des
# Tạo ipsec profile
Hub(config)# crypto ipsec profile dmvpn
Hub(config-profile)# set transform-set myset
# Tạo tunnel
Hub(config)# interface tunnel 0
Hub(config-if)# ip address 10.0.0.1 255.255.255.0
Hub(config-if)# ip mtu 600
Hub(config-if)# ip nhrp authentication cisco47
Hub(config-if)# ip nhrp multicast dynamic
Hub(config-if)# ip nhrp hold-time 600
Hub(config-if)# tunnel source f0/0
Hub(config-if)# tunnel mode gre multipoint
Hub(config-if)# tunnel key 1000
Hub(config-if)# tunnel protection ipsec profile dmvpn
# Định tuyến dùng giao thức EIGRP
Hub(config)# router eigrp 1
Hub(config-router)# network 10.0.0.0 0.0.0.255
Hub(config-router)# network 192.168.0.0 0.0.0.255
Hub(config-router)# no auto-summary