DM×××的优点:

1.中心路由不需要为每个分支站点单独建立一个gre隧道和crypto map 条目,简化ipsec配置

2.中心站点不需要知道分支站点的细节,即使增加分支站点,中心站点也不需要额外的配置

3.分支站点可以动态的学习端口信息

注意:

1.一般工作的地址转换设备前面,在后需要一个公网ip

2.如果工作的ios路由器上,需建立静态转化

 

双中心站点单DM×××的设计_高可用性

要求:

1.全网互通

2.分支站点访问分支站点,不走中心站点,直接访问分支

3.动态学习内部的路由

4.实现分支到中心站点的高可用性

配置:

HUB1:  主

interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1436
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 ip ospf network broadcast
 ip ospf priority 10
 delay 1000
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile liang

interface Ethernet0/0
 ip address 199.1.1.1 255.255.255.0
 half-duplex

router ospf 10
 router-id 1.1.1.1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 199.1.1.3

HUB2: 副

interface Loopback0
 ip address 192.168.10.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1436
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp map 10.0.0.1 199.1.1.1
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1
 ip ospf network broadcast
 ip ospf priority 5
 delay 1000
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile liang

interface Ethernet0/1
 ip address 191.1.1.1 255.255.255.0
 half-duplex

router ospf 10
 router-id 2.2.2.2
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 1
 network 192.168.10.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 191.1.1.3

SPOKE1

interface Loopback0
 ip address 192.168.2.1 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.4 255.255.255.0
 no ip redirects
 ip mtu 1436
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 199.1.1.1
 ip nhrp map multicast 199.1.1.1
 ip nhrp map 10.0.0.2 191.1.1.1
 ip nhrp map multicast 191.1.1.1
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1
 ip nhrp nhs 10.0.0.2
 ip ospf network broadcast
 ip ospf priority 0
 delay 1000
 tunnel source Ethernet0/2
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile liang

interface Ethernet0/2
 ip address 202.1.1.1 255.255.255.0
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
router ospf 10
 router-id 4.4.4.4
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 1
 network 192.168.2.0 0.0.0.255 area 1
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 202.1.1.3

SPOKE2

interface Loopback0
 ip address 192.168.3.5 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.5 255.255.255.0
 no ip redirects
 ip mtu 1436
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 199.1.1.1
 ip nhrp map multicast 199.1.1.1
 ip nhrp map 10.0.0.2 191.1.1.1
 ip nhrp map multicast 191.1.1.1
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1
 ip nhrp nhs 10.0.0.2
 ip ospf network broadcast
 ip ospf priority 0
 delay 1000
 tunnel source Ethernet0/3
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile liang

interface Ethernet0/3
 ip address 203.1.1.1 255.255.255.0
 half-duplex
!
router ospf 10
 router-id 5.5.5.5
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 1
 network 192.168.3.0 0.0.0.255 area 1
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 203.1.1.3

SPOKE3

interface Loopback0
 ip address 192.168.4.6 255.255.255.255
!
interface Tunnel0
 ip address 10.0.0.6 255.255.255.0
 no ip redirects
 ip mtu 1436
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 199.1.1.1
 ip nhrp map multicast 199.1.1.1
 ip nhrp map 10.0.0.2 191.1.1.1
 ip nhrp map multicast 191.1.1.1
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1
 ip nhrp nhs 10.0.0.2
 ip ospf network broadcast
 ip ospf priority 0
 delay 1000
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile liang
!
interface Ethernet0/0
 ip address 204.1.1.1 255.255.255.0
 half-duplex

router ospf 10
 router-id 6.6.6.6
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 1
 network 192.168.4.0 0.0.0.255 area 1
 network 192.168.6.0 0.0.0.255 area 1
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 204.1.1.3

spoke3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 204.1.1.3 to network 0.0.0.0

C    204.1.1.0/24 is directly connected, Ethernet0/0
     192.168.10.0/32 is subnetted, 1 subnets
O IA    192.168.10.1 [110/11112] via 10.0.0.2, 00:00:46, Tunnel0 
     192.168.4.0/32 is subnetted, 1 subnets
C       192.168.4.6 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Tunnel0
     192.168.1.0/32 is subnetted, 1 subnets
O IA    192.168.1.1 [110/11112] via 10.0.0.1, 00:00:46, Tunnel0
     192.168.2.0/32 is subnetted, 1 subnets
O       192.168.2.1 [110/11112] via 10.0.0.4, 00:00:46, Tunnel0
     192.168.3.0/32 is subnetted, 1 subnets
O       192.168.3.5 [110/11112] via 10.0.0.5, 00:00:46, Tunnel0    吓一跳分支
S*   0.0.0.0/0 [1/0] via 204.1.1.3

hub1#show ip nhrp   下一跳解析协议
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:32:03, expire 01:27:56
  Type: dynamic, Flags: authoritative unique registered
  NBMA address: 191.1.1.1
10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:30:03, expire 01:29:56
  Type: dynamic, Flags: authoritative unique registered
  NBMA address: 202.1.1.1
10.0.0.5/32 via 10.0.0.5, Tunnel0 created 00:30:07, expire 01:29:52
  Type: dynamic, Flags: authoritative unique registered
  NBMA address: 203.1.1.1
10.0.0.6/32 via 10.0.0.6, Tunnel0 created 00:30:48, expire 01:29:11
  Type: dynamic, Flags: authoritative unique registered
  NBMA address: 204.1.1.1


hub1(config)#int tunnel 0     关闭hub1
hub1(config-if)#sh
hub1(config-if)#
*Mar  1 01:42:09.831: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 01:42:09.831: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
*Mar  1 01:42:09.835: %OSPF-5-ADJCHG: Process 10, Nbr 5.5.5.5 on Tunnel0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
*Mar  1 01:42:09.835: %OSPF-5-ADJCHG: Process 10, Nbr 6.6.6.6 on Tunnel0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
hub1(config-if)#
*Mar  1 01:42:09.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
hub1(config-if)#
*Mar  1 01:42:11.795: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
hub1(config-if)#
*Mar  1 01:42:11.875: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=199.1.1.1, prot=50, spi=0x5F017E4E(1593933390), srcaddr=202.1.1.1
hub1(config-if)#
*Mar  1 01:42:12.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
 

hub1(config-if)#int e0/0
hub1(config-if)#sh
hub1(config-if)#
*Mar  1 01:42:28.855: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
*Mar  1 01:42:29.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down

再看分支路由表  仍能学到路由信息  实现高可用性

spoke3#show ip route ospf
     192.168.10.0/32 is subnetted, 1 subnets
O IA    192.168.10.1 [110/11112] via 10.0.0.2, 00:00:02, Tunnel0
     192.168.2.0/32 is subnetted, 1 subnets
O       192.168.2.1 [110/11112] via 10.0.0.4, 00:00:02, Tunnel0
     192.168.3.0/32 is subnetted, 1 subnets
O       192.168.3.5 [110/11112] via 10.0.0.5, 00:00:02, Tunnel0

我们在这实行的ospf协议,当然我们还可以用eigrp,不过要关闭水平分割,否则流量仍然要发送的中心站点,我们的努力就白费了