GRE+NHRP+IPSEC
底层
R1
int g0/0
ip add 202.100.1.1 255.255.255.0
int lo 0
ip add 10.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 200.100.1.100R2
int g0/0
ip add dhcp
int lo 0
ip add 10.1.2.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 61.128.1.100R3
int g0/0
ip add dhcp
int lo 0
ip add 10.1.3.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.9.1.100switch
vlan 100,128,172
exit
int vlan 100
ip add 202.100.1.0 255.255.255.0
int vlan 128
ip add 61.128.1.100 255.255.255.0
int vlan 172
ip add 255.255.255.0
int g0/0
sw mo ac
sw ac vlan 100
int g0/1
sw mo ac
sw ac vlan 128
int g0/2
sw mo ac
sw ac vlan 172
ip dh poo v128
netw 61.128.1.0 /24
ip dh poo v172
netw 172.9.1.0 /24GRE与NHRP配置
NHRP
一种C/S协议:hub--server,spoke--client
spoke在hub上注册真实地址,hub维护spoke的物理,隧道地址的数据库
R1
int t0
ip add 10.1.123.1 255.255.255.0
tun sou 202.100.1.1
tun mo gre mu
ip nhrp netw 123R2
int t0
ip add 10.1.123.2 255.255.255.0
tun sou g0/0
tun dest 202.100.1.1
ip nhrp netw 123
ip nhrp nhs 10.1.123.1 nbma 202.100.1.1R3
int t0
ip add 10.1.123.3 255.255.255.0
tun sou g0/0
tun destin 202.100.1.1
ip nhrp netw 123
ip nhrp nhs 10.1.123.1 nbma 202.100.1.1nhrp network-id 本地有效,为了方便管理,建议相同
至此hub-spoke配置已完成
配置末端路由导向
R1
ip route 10.1.2.0 255.255.255.0 10.1.123.2
ip route 10.1.3.0 255.255.255.0 10.1.123.3
R2,R3
ip route 10.1.0.0 255.255.0.0 10.1.123.1
若用EIGRP,RIP,要解决R1上的水平分割问题,下一跳,NBMA网络中的组播映射问题。
R1
int t0
ip nhrp map mu dy
no ip split-ho eigrp/rip xx
加密
R1
crypto isa po 10
au pre
en 3des
group 2
ha sh
exit
crypto isa key cisco add 0.0.0.0
crypto ipsec tr TS esp-3 esp-sha-h
mod tun
crypto ipsec pr PRF
set tr TS
exit
int t0
tun proection ipsec PRF
R2,R3
crypto isa po 10
au pre
en 3des
group 2
ha sh
exit
crypto isa key cisco add 202.100.1.1
crypto ipsec tr TS esp-3 esp-sha-h
mod tun
crypto ipsec pr PRF
set tr TS
exit
int t0
tun proection ipsec PRF
HUB和每个SPOKE之间通信协商IPSEC SA,SPOKE之间通信靠HUB转发
HUB mGRE
Spoke GRE