Cisco DMVPN 設定

VPN 如果只是兩個點對點的環境設定是非常簡單的，但是如果有很多的點需要設定VPN，那設定內容可能非常多(GRE點對點的設定)，且不易管理，DMVPN就是來解決這個問題

1. DMVPN 架構圖
2. DMVPN 設定
3. 路由設定

1. DMVPN 架構圖

2. DMVPN 設定
HQ Router設定，部分不相關設定省略

HQ#show run int f0

interface FastEthernet0
description WAN
 ip address 60.250.126.177 255.255.255.0
 duplex auto
 speed auto

HQ#show run int f1

interface FastEthernet1
 description LAN
 ip address 192.168.1.2 255.255.255.0
 ip accounting output-packets
 duplex auto
 speed auto

HQ#show run int tu99

interface Tunnel99
 description DMVPN-HQ
 ip address 172.27.72.1 255.255.255.0
 no ip redirects
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source 60.250.126.177
 tunnel mode gre multipoint

Branch office 1 Router設定，部分不相關設定省略

Branch-office-1#show run int f0

interface FastEthernet0
 description WAN
 ip address 211.72.164.223 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

Branch-office-1#show run int f1

interface FastEthernet1
 description LAN
 ip address 192.168.80.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

Branch-office-1#show run int tu99

interface Tunnel99
 description DMVPN-Branch_office1
 ip address 172.27.72.2 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 172.27.72.1 60.250.126.177
 ip nhrp map multicast 60.250.126.177
 ip nhrp network-id 1
 ip nhrp nhs 172.27.72.1
 tunnel source FastEthernet0
 tunnel mode gre multipoint

Branch-office-2#show run int f0

interface FastEthernet0
 description WAN
 ip address 220.128.238.111 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

Branch-office-2#show run int f1

interface FastEthernet1
 description LAN
 ip address 192.168.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

Branch-office-2#show run int tu99

interface Tunnel99
 description DMVPN-Branch_office2
 ip address 172.27.72.4 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 172.27.72.1 60.250.126.177
 ip nhrp map multicast 60.250.126.177
 ip nhrp network-id 1
 ip nhrp nhs 172.27.72.1
 tunnel source FastEthernet0
 tunnel mode gre multipoint

三地查看DMVPN狀態
HQ Router

HQ#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding
 UpDn Time --> Up or Down Time for a Tunnel
========================================================

Interface: Tunnel99, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 211.72.164.223 172.27.72.2 UP 11:51:12 D
 1 220.128.238.111 172.27.72.4 UP 11:48:50 D

Branch office 1 Router

Branch-office-1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding
 UpDn Time --> Up or Down Time for a Tunnel
========================================================

Interface: Tunnel99, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 60.250.126.177 172.27.72.1 UP 11:55:18 S

Branch office 2 Router

Branch-office-2#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding
 UpDn Time --> Up or Down Time for a Tunnel
========================================================
Interface: Tunnel99, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 60.250.126.177 172.27.72.1 UP 04:01:44 S

3.路由設定
HQ 路由設定

HQ(config)#ip access-list standard acl_OSPF

HQ(config-std-nacl)#permit 192.168.10.0 0.0.0.255

HQ(config-std-nacl)#permit 192.168.20.0 0.0.0.255

HQ(config-std-nacl)#permit 192.168.121.0 0.0.0.255

HQ(config)#route-map OSPF permit 10

HQ(config-route-map)#match ip address acl_OSPF

HQ(config)#router ospf 99

HQ(config-router)#router-id 172.28.1.1

HQ(config-router)#network 192.168.1.0 0.0.0.255 area 0

HQ(config-router)#redistribute static subnets route-map OSPF

HQ(config)#int tu99

HQ(config-if)#ip ospf network broadcast

HQ(config-if)#ip ospf 99 area 0

interface Tunnel99
 description DMVPN-HQ
 ip address 172.27.72.1 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip ospf network broadcast
 ip ospf dead-interval 60
 ip ospf mtu-ignore
 ip ospf 99 area 0
 tunnel source 60.250.126.177
 tunnel mode gre multipoint

interface Loopback0
 description For Routing ID
 ip address 172.28.1.1 255.255.255.0

ip access-list standard acl_OSPF
 permit 192.168.10.0 0.0.0.255
 permit 192.168.20.0 0.0.0.255
 permit 192.168.121.0 0.0.0.255

route-map OSPF permit 10
 match ip address acl_OSPF

router ospf 99
 router-id 172.28.1.1
 log-adjacency-changes
 redistribute static subnets route-map OSPF
 network 192.168.1.0 0.0.0.255 area 0

HQ#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is 60.250.126.254 to network 0.0.0.0

S 192.168.121.0/24 [1/0] via 192.168.1.254
S 192.168.10.0/24 [1/0] via 192.168.1.254
 172.27.0.0/24 is subnetted, 1 subnets
C 172.27.72.0 is directly connected, Tunnel99
 172.28.0.0/32 is subnetted, 1 subnets
C 172.28.1.1 is directly connected, Loopback0
O 192.168.81.0/24 [110/1001] via 172.27.72.3, 00:15:47, Tunnel99
O 192.168.80.0/24 [110/1001] via 172.27.72.2, 00:15:37, Tunnel99
S 192.168.20.0/24 [1/0] via 192.168.1.254
O 192.168.0.0/24 [110/1001] via 172.27.72.4, 00:15:47, Tunnel99
C 192.168.1.0/24 is directly connected, FastEthernet1
 60.0.0.0/24 is subnetted, 1 subnets
C 60.250.126.0 is directly connected, FastEthernet0
S* 0.0.0.0/0 [1/0] via 60.250.126.254

Branch office 1 路由設定

Branch-office-1(config)#router ospf 99

Branch-office-1(config-router)#router-id 172.28.1.2

Branch-office-1(config-router)#network 192.168.80.0 0.0.0.255 area 0

Branch-office-1(config)#int tu99

Branch-office-1(config)#ip ospf network broadcast

Branch-office-1(config)#ip ospf 99 area 0

interface Tunnel99
 description DMVPN-Shintangu
 ip address 172.27.72.2 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 172.27.72.1 60.250.126.177
 ip nhrp map multicast 60.250.126.177
 ip nhrp network-id 1
 ip nhrp nhs 172.27.72.1
 ip ospf network broadcast
 ip ospf dead-interval 60
 ip ospf priority 0
 ip ospf mtu-ignore
 ip ospf 99 area 0
 tunnel source FastEthernet0
 tunnel mode gre multipoint

interface Loopback0
 description For Routing ID
 ip address 172.28.1.2 255.255.255.255

router ospf 99
 router-id 172.28.1.2
 log-adjacency-changes
 network 192.168.80.0 0.0.0.255 area 0

Branch-office-1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is 211.72.164.254 to network 0.0.0.0

C 211.72.164.0/24 is directly connected, FastEthernet0
O E2 192.168.121.0/24 [110/20] via 172.27.72.1, 00:22:37, Tunnel99
O E2 192.168.10.0/24 [110/20] via 172.27.72.1, 00:22:37, Tunnel99
 172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Vlan10
 172.27.0.0/24 is subnetted, 1 subnets
C 172.27.72.0 is directly connected, Tunnel99
 172.28.0.0/32 is subnetted, 1 subnets
C 172.28.1.2 is directly connected, Loopback0
O 192.168.81.0/24 [110/1001] via 172.27.72.3, 00:22:37, Tunnel99
C 192.168.80.0/24 is directly connected, FastEthernet1
O E2 192.168.20.0/24 [110/20] via 172.27.72.1, 00:22:37, Tunnel99
O 192.168.0.0/24 [110/1001] via 172.27.72.4, 00:22:37, Tunnel99
O 192.168.1.0/24 [110/1001] via 172.27.72.1, 00:22:37, Tunnel99
S* 0.0.0.0/0 [1/0] via 211.72.164.254

Branch office 2 路由設定

Branch-office-2(config)#router ospf 99

Branch-office-2(config-router)#router-id 172.28.1.3

Branch-office-2(config-router)#network 192.168.81.0 0.0.0.255 area 0

Branch-office-2(config)#int tu99

Branch-office-2(config)#ip ospf network broadcast

Branch-office-2(config)#ip ospf 99 area 0

interface Tunnel99
 description DMVPN-Shintangu
 ip address 172.27.72.3 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 172.27.72.1 60.250.126.177
 ip nhrp map multicast 60.250.126.177
 ip nhrp network-id 1
 ip nhrp nhs 172.27.72.1
 ip ospf network broadcast
 ip ospf 99 area 0
 tunnel source FastEthernet0
 tunnel mode gre multipoint

interface Loopback0
 description For Routing ID
 ip address 172.28.1.3 255.255.255.255

router ospf 99
 router-id 172.28.1.3
 log-adjacency-changes
 network 192.168.81.0 0.0.0.255 area 0

Branch-office-2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is 61.219.221.254 to network 0.0.0.0

O E2 192.168.121.0/24 [110/20] via 172.27.72.1, 00:24:22, Tunnel99
O E2 192.168.10.0/24 [110/20] via 172.27.72.1, 00:24:22, Tunnel99
 172.27.0.0/24 is subnetted, 1 subnets
C 172.27.72.0 is directly connected, Tunnel99
 172.28.0.0/32 is subnetted, 1 subnets
C 172.28.1.3 is directly connected, Loopback0
C 192.168.81.0/24 is directly connected, FastEthernet1
O 192.168.80.0/24 [110/1001] via 172.27.72.2, 00:24:12, Tunnel99
O E2 192.168.20.0/24 [110/20] via 172.27.72.1, 00:24:22, Tunnel99
O 192.168.0.0/24 [110/1001] via 172.27.72.4, 00:24:22, Tunnel99
O 192.168.1.0/24 [110/1001] via 172.27.72.1, 00:24:22, Tunnel99
 61.0.0.0/24 is subnetted, 1 subnets
C 61.219.221.0 is directly connected, FastEthernet0
S* 0.0.0.0/0 [1/0] via 61.219.221.254

Refer:http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html