实例讲解DMVPN

弱水无尘

一、ABC Technologies’ requirements to network infrastructure. (ABC

科技网络公司对网络架构的需求

).

1.  ABC Technologies decided to extend their network infrastructure, they have branches in HK, Shenzhen, Shanghai and Beijing. WEB servers in HK HQs, IP voice server in Shenzhen. They demanded each branch is able to access inside servers, Voice system will adopt IP telephony, it will be free in the intranet.

(ABC

科技公司决定对网络进行扩充，在香港，深圳，上海和北京都有办事处，

WEB

服务器在香港总部，语音服务器在深圳。要实现各地办事处内网均能访问内部服务器，语音系统采有

IP

语音，内部之间通话可免费

)

2.  HK branch has lots of static public IP address, others will adopt ADSL PPPOE protocol, so the public IP address will be dynamic.

香港公司拥有多个固定

IP

，其它三地均采用

ADSL

的

PPPOE

拨号，所获

IP

为动态

IP

。

3.
According to the requirements above, to set up IPSec VPN to achieve communication in whole corporation.

根据以上要求，建设

IPsec VPN

去实现全网互通。

4. Configure Router in order to WEB servers can be visited by internet.

配置路由器以便

WEB

服务器能被互联网访问。

二、Topological Diagram

拓扑图

2.1
Equipments list

（设备清单）

Network:
Router 2811
IOS: c2800nm-advsecurityk9-mz.124-24.T2

IP voice: ShoreTel unified communication solution plan ( ShoreTel

统一通信解决方案

)

2.2 Adopted techniques (

采用的技术

)

Network:
DMVPN -- ADSL PPPOE, NAT, mGRE, EIGRP, IPsec VPN, NHRP etc.

三、Configuration (

配

置

)

HK Router

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname HK

!

boot-start-marker

boot system flash c2800nm-advsecurityk9-mz.124-24.T2.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 $1$ovNz$CxZ0Z8KzUZUzi9UY4jStU/

!

no aaa new-model

!

no dot11 syslog

no ip source-route

!

!

ip cef

!−−− Configure DHCP for HK site为香港站点创建DHCP服务

ip dhcp excluded-address 20.89.5.1 20.89.5.255

ip dhcp excluded-address 20.89.4.0

ip dhcp excluded-address 20.89.0.1 20.89.3.255

!

ip dhcp pool OPEHKDHCP

network 20.89.0.0 255.255.0.0

dns-server 20.89.1.2

default-router 20.89.1.2

option 4 ip 20.89.2.3

option 156 ascii "ftpservers=20.88.2.2,country=1,language=1,layer2tagging=0,vlanid=0"

lease 30

!

! −−− Designate DNS IP for HK Router为香港站点路由器指定DNS IP

ip name-server 203.98.160.11

ip name-server 203.98.160.12

!

multilink bundle-name authenticated

!

! −−− Only HK Router has static IP address, set up PPTPVPN service唯有香港站点路由器拥有固定IP，建立PPTP VPN服务

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

!

!

!

!

!

username abcrouter privilege 15 secret 5 $1$oii4$VsGGIVimHxgu45/DUbC4a1

username ABC password 0 123

username ABC password 0 123

username ABC password 0 123

username ABC password 0 123

archive

log config

hidekeys

!

!

! −−−Configure IPSEC VPN service 配置IPSEC VPN服务

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key 123456 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto ipsec profile ABC

set security-association lifetime seconds 120

set transform-set strong

!

!

!

!

!

!

!−−− HK Router as a main server in DMVPN.香港做为DMVPN的主服务器，唯一一个拥有固定IP

interface Tunnel1

ip address 20.90.1.1 255.255.0.0

no ip redirects

ip mtu 1440

no ip next-hop-self eigrp 90

ip nhrp authentication 1234567

ip nhrp map multicast dynamic

ip nhrp network-id 1

no ip split-horizon eigrp 90

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile ABC

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 55.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.89.1.2 255.255.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

!−−−HK Router as a main server in PPTP VPN 香港做为PPTP VPN的主服务器

interface Virtual-Template1

ip unnumbered FastEthernet0/0

peer default ip address pool PPTPIPDHCP

no keepalive

ppp encrypt mppe auto

ppp authentication pap chap ms-chap

!

router eigrp 90

network 20.89.0.0 0.0.255.255

network 20.90.0.0 0.0.255.255

no auto-summary

!

ip local pool PPTPIPDHCP 20.90.2.1 10.90.2.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 55.1.1.2

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

! -- Configure static NAT translation for servers 为服务器群做静态NAT转换

ip nat inside source static 20.89.2.1 55.1.1.5

ip nat inside source static 20.89.2.2 55.1.1.6

ip nat inside source static 20.89.2.3 55.1.1.7

ip nat inside source static 20.89.2.4 55.1.1.8

ip nat inside source static 20.89.2.5 55.1.1.9

!

access-list 1 permit 20.0.0.0 0.255.255.255

!

!

!

!

!

!

snmp-server community abcrokey RO

snmp-server community abcrwkey RW

!

control-plane

!

banner exec

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for
one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

banner login

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>
privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

!

line con 0

password abcdata

login

line aux 0

line vty 0 4

privilege level 15

password abctelnet

login

transport input telnet

!

!

!

!

!

scheduler allocate 20000 1000

end

ciscovideo

这个讲的不怎么样吧

春燕

{:soso_e176:}

yin6535580

弱水无尘

幸福的海

糖醋花生。

kwkw5290

学习了 威武

merenpuwu

zhongr130

multilink bundle-name authenticated

gaozhiwei

学习一下

gfeiyang

详细