实例讲解DMVPN
一、ABC Technologies’ requirements to network infrastructure. (ABC科技网络公司对网络架构的需求).1.ABC Technologies decided to extend their network infrastructure, they have branches in HK, Shenzhen, Shanghai and Beijing. WEB servers in HK HQs, IP voice server in Shenzhen. They demanded each branch is able to access inside servers, Voice system will adopt IP telephony, it will be free in the intranet.
(ABC科技公司决定对网络进行扩充,在香港,深圳,上海和北京都有办事处,WEB服务器在香港总部,语音服务器在深圳。要实现各地办事处内网均能访问内部服务器,语音系统采有IP语音,内部之间通话可免费)
2.HK branch has lots of static public IP address, others will adopt ADSL PPPOE protocol, so the public IP address will be dynamic.
香港公司拥有多个固定IP,其它三地均采用ADSL的PPPOE拨号,所获IP为动态IP。
3.
According to the requirements above, to set up IPSec VPN to achieve communication in whole corporation.
根据以上要求,建设IPsec VPN去实现全网互通。
4. Configure Router in order to WEB servers can be visited by internet.
配置路由器以便WEB服务器能被互联网访问。
二、Topological Diagram 拓扑图
2.1
Equipments list (设备清单)
Network:
Router 2811
IOS: c2800nm-advsecurityk9-mz.124-24.T2
IP voice: ShoreTel unified communication solution plan ( ShoreTel 统一通信解决方案)
2.2 Adopted techniques ( 采用的技术 )
Network:
DMVPN -- ADSL PPPOE, NAT, mGRE, EIGRP, IPsec VPN, NHRP etc.
http://img1.51cto.com/album/471735/132375504414.jpg
三、Configuration ( 配 置 )
HK Router
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HK
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-24.T2.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$ovNz$CxZ0Z8KzUZUzi9UY4jStU/
!
no aaa new-model
!
no dot11 syslog
no ip source-route
!
!
ip cef
!−−− Configure DHCP for HK site为香港站点创建DHCP服务
ip dhcp excluded-address 20.89.5.1 20.89.5.255
ip dhcp excluded-address 20.89.4.0
ip dhcp excluded-address 20.89.0.1 20.89.3.255
!
ip dhcp pool OPEHKDHCP
network 20.89.0.0 255.255.0.0
dns-server 20.89.1.2
default-router 20.89.1.2
option 4 ip 20.89.2.3
option 156 ascii "ftpservers=20.88.2.2,country=1,language=1,layer2tagging=0,vlanid=0"
lease 30
!
! −−− Designate DNS IP for HK Router为香港站点路由器指定DNS IP
ip name-server 203.98.160.11
ip name-server 203.98.160.12
!
multilink bundle-name authenticated
!
! −−− Only HK Router has static IP address, set up PPTPVPN service唯有香港站点路由器拥有固定IP,建立PPTP VPN服务
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
username abcrouter privilege 15 secret 5 $1$oii4$VsGGIVimHxgu45/DUbC4a1
username ABC password 0 123
username ABC password 0 123
username ABC password 0 123
username ABC password 0 123
archive
log config
hidekeys
!
!
! −−−Configure IPSEC VPN service 配置IPSEC VPN服务
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile ABC
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!−−− HK Router as a main server in DMVPN.香港做为DMVPN的主服务器,唯一一个拥有固定IP
interface Tunnel1
ip address 20.90.1.1 255.255.0.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 90
ip nhrp authentication 1234567
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile ABC
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 55.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.89.1.2 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!−−−HK Router as a main server in PPTP VPN 香港做为PPTP VPN的主服务器
interface Virtual-Template1
ip unnumbered FastEthernet0/0
peer default ip address pool PPTPIPDHCP
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
router eigrp 90
network 20.89.0.0 0.0.255.255
network 20.90.0.0 0.0.255.255
no auto-summary
!
ip local pool PPTPIPDHCP 20.90.2.1 10.90.2.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 55.1.1.2
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
! -- Configure static NAT translation for servers 为服务器群做静态NAT转换
ip nat inside source static 20.89.2.1 55.1.1.5
ip nat inside source static 20.89.2.2 55.1.1.6
ip nat inside source static 20.89.2.3 55.1.1.7
ip nat inside source static 20.89.2.4 55.1.1.8
ip nat inside source static 20.89.2.5 55.1.1.9
!
access-list 1 permit 20.0.0.0 0.255.255.255
!
!
!
!
!
!
snmp-server community abcrokey RO
snmp-server community abcrwkey RW
!
control-plane
!
banner exec
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for
one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
banner login
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser>
privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
!
line con 0
password abcdata
login
line aux 0
line vty 0 4
privilege level 15
password abctelnet
login
transport input telnet
!
!
!
!
!
scheduler allocate 20000 1000
end
这个讲的不怎么样吧 {:soso_e176:} {:6_276:} {:6_290:} {:6_301:} {:6_267:}{:6_267:} 学习了 威武 {:6_290:} multilink bundle-name authenticated{:6_267:} 学习一下{:6_267:} 详细
页:
[1]