CISCODMVPN原理与配置转载请保留此信息:作者:红头发(akaCCIE#15101)出处:|,q)d4}4l1J9F一.CISCODMVPN概览%Q+u+Ti,NH/e/h-b7PCISCO动态多点VPN(DMVPN)用于构建可扩展性的企业VPN网络,用于支持分布式的应用程序,比如视频和语音.具备如下优势:纽爱科网络实验室社区:a{5K4yG9|9T1.采用星型(hub-and-spoke)结构与按需全互联相结合的拓扑结构.2.自动应用IPSec.3.当增加远程站点时无需做额外部署.4.减小延迟与节约带宽.如下图:*V+B7X-c'p.i!Z/yCCISCO的DMVPN可以和IOS防火墙,IOSIPS,QoS,IP组播,隧道分离,与路由协议热备份技术结合使用.$j!o2f(^#d/i6]:s通常情况下,DMVPN适用于以下场合:1.中型与大型企业.2.SOHO.}6?8L/a1L^2h3.企业网外网.:y(r*B/A'G:Y$@4.企业WAN备份连接.5.SPVPN业务.二.CISCODMVPN的部署与结构CISCODMVPN部署方案有两种方式:,X(z)k7CR#A-x2|1.星型(hub-and-spoke)结构:E3V!{4B-`2t在这种传统的拓扑结构里,远程站点做为边缘节点,边缘节点流量的传输需经过中心节点.如下图:2.边缘(spoke-to-spoke)结构:y!L6z+X:N.sCISCODMVPN也允许我们采用全互联结构,通过在传统的星型拓扑上,在边缘设备与边缘设备之间增加一条基于IPsec的连接,这样一来,边缘节点之间的流量传输无需经过中心节点,减小了延迟并节约了带宽占用.如下图::B&@/T0i3Y*J)bB3Y#Z&K&[#jEb,S至于在实施的时候采用何种拓扑结构,可以根据80/20原则来判定:1.如果80%甚至更多的流量是从边缘传输给中心节点本身,那么可以采用星型结构.|;a2x%o!j:?2.如果20%甚至更过的流量是为边缘节点所服务,那么采用边缘结构.纽爱科网络实验室社区4A;I)C;{7K-v$P#D*m-^&i3U&U+x3b+T/w)s&c7U为了能够支持高级IP服务(如组播,动态路由协议与QoS),传统的方式是采用类似GRE一类的隧道技术.这样就导致了网络的叠加,增加了维护和管理的难度,扩展性较低.传统的IPsec只支持IP单播,使得部署一对多或多对对的应用程序变得更为麻烦.CISCODMVPN结合了GRE隧道与IPsec,并引入了下一跳解析协议(NHRP),一种用于减轻管理负担的协议,如下图:5q/a+y4D,y'p8U:T&_5T4g4N;J0T$^)^3k9B:t%I&V8^5qCISCODMVPN的关键组件如下:1.多点GRE隧道(mGRE)接口:使得单一的GRE接口可以支持多个IPsec隧道,简化配置.2.IPsec末端节点的动态发现与加密模板:无需为每对对等体手动指定cryptomap,简化部署.3.NHRP:允许边缘节点采用动态IP地址,中心节点用于维护每个边缘节点公网地址的NHRP数据库.当每个边缘节点启动后,向中心节点注册它的真实地址,当它要和其他边缘节点直接建立隧道时,它向中心节点的NHRP数据库里进行查询,用于确定对端边缘节点的真实地址.3r4l5X3t3D)y1l0?-z9^#Z.u3e三.CISCODMVPN的实施可以通过CISCOSDM采用向导化的配置:&VK9_5S&C'\!i;l|6`&a6o-D5y4F+O5|9^通过IOS来配置CISCODMVPN.拓扑如下图:,L.F;O$L-`#x0a0x7i%T6s,E5r3F$eR1配置如下:!cryptoisakmppolicy10~$|-['|!N1Bencraesauthenticationpre-share,`5I(p*J,r9Kgroup27h#`:pa2Y9T;e6v)O!)W)OJ0H6h:y-~(xcryptoisakmpkeyciscoaddress0.0.0.00.0.0.03e*{.d4D3W3R'`!!{%O7C4Rcryptoipsectransform-setccspesp-aesesp-sha-hmac8q%R6v0V:V-U!c1o.M.hmodetransport!(f(E#y3o)P8O&J*]&s*bcryptoipsecprofile91labsettransform-setccsp:A(X5j$b9c-Z*D!g$r-e+N,I'[,eT!interfaceTunnel0:q)Y0t-Z%~|0W/t6Mipaddress192.168.1.1255.255.255.0ipnhrpauthenticationcisco/---配置NHRP的认证---/ipnhrpmapmulticastdynamic/---允许NHRP自动增加路由器到组播NHRP映射---/纽爱科网络实验室社区,j0e$t*T:?;J/o:H3m4U.wipnhrpnetwork-id1/---在接口上启用NHRP---/ipospfnetworkbroadcast纽爱科网络实验室社区,X-G8F1m!a)x1_,hipospfpriority255^)Z2|5g!]-xtunnelsourceSerial0/0tunnelmodegremultipointtunnelkey11b.~9Js$F)`;_;t%Btunnelprotectionipsecprofile91lab!interfaceLoopback0ipaddress11.1.1.1255.255.255.0(@8y)c!3}2L1g)z6yinterfaceSerial0/0ipaddress125.71.1.1255.255.255.248encapsulationframe-relay7b(]3J#X#r1N*[+v1snoframe-relayinverse-arpframe-relaymapip125.71.1.2102broadcastframe-relaymapip125.71.1.3103broadcastT.N4m8O;{2Z'f:a!routerospf1log-adjacency-changes%o%Z9r2O'G%Jnetwork11.1.1.10.0.0.0area0:Z1~network125.71.1.10.0.0.0area0network192.168.1.10.0.0.0area0!R2配置如下:0L7L6w2e&h6@(b/?!cryptoisakmppolicy10encraes$e9W-nB;cauthenticationpre-sharegroup2!8@+b(G#v1jcryptoisakmpkeyciscoaddress0.0.0.00.0.0.0!!8A%K8n/{8|)t)l1qcryptoipsectransform-setccspesp-aesesp-sha-hmac纽爱科网络实验室社区(A4U~+_1w6Umodetransport纽爱科网络实验室社区7]2l/o8I%Y.sU!r!纽爱科网络实验室社区#L4{#v/U-Y9y%y$y&j&acryptoipsecprofile91lab&@&Z/g-S$x*b0x2~)bsettransform-setccsp!7T2M6I0g.m,n0p!interfaceTunnel0ipaddress192.168.1.2255.255.255.0g,Oo9o.F5r4cipnhrpauthenticationciscoipnhrpmapmulticast192.168.1.1/---将NBMA地址做为通过隧道网络发送广播或组播的目标地址---/ipnhrpnetwork-id1ipnhrpnhs125.71.1.1/---定义NHRP服务器地址---/ipospfnetworkbroadcast9l0e6f/`7n#}/PxqtunnelsourceSerial0/0tunnelmodegremultipoint+v-l5F&~(Q,m8rtunnelkey1tunnelprotectionipsecprofile91lab[l5s:u'J!interfaceLoopback0ipaddress22.1.1.1255.255.255.0!|QinterfaceSerial0/0!wK1f0^1[)X(]9J7]!]ipaddress125.71.1.2255.255.255.248encapsulationframe-relay(D#F.{9j,d-unoframe-relayinverse-arp:@3[!m'n3bv1Fframe-relaymapip125.71.1.1201broadcast!x8Q&?)S+M-f/{3uframe-relaymapip125.71.1.3201broadcast纽爱科网络实验室社区0[1{'C+q)R-t.o/o+^%H!routerospf1log-adjacency-changes纽爱科网络实验室社区*c5O)t't/E(rnetwork22.1.1.10.0.0.0area05_0x2_#u8`&[$M&Snetwork125.71.1.20.0.0.0area0network192.168.1.20.0.0.0area05{0`0z:N,m7H'A6Rj!纽爱科网络实验室社区7z8Y3h7k'd(B,Sz7KR3配置如下:!cryptoisakmppolicy10encraesauthenticationpre-share:\,e3r*X6v5A!v%[2ggroup2!cryptoisakmpkeyciscoaddress0.0.0.00.0.0.0)t)|}1M9u0i'C:\(G!!cryptoipsectransform-setccspesp-aesesp-sha-hmacmodetransport&B1P'~:~,z;M8i8dh,S!cryptoipsecprofile91lab,U%t-fh%i9|settransform-setccsp纽爱科网络实验室社区:b2H]+g`!{$u:@!!2_!n%]4]@;N8ainterfaceTunnel0&c8Q'P-F$l(\ipaddress192.168.1.3255.255.255.0ipnhrpauthenticationciscoipnhrpmapmulticast192.168.1.1^1h6w8i9wipnhrpnetwork-id1ipnhrpnhs125.71.1.1~$IB!\`(l3s!H(O2sipospfnetworkbroadcast,Z1^*u3o6[0gtunnelsourceSerial0/0-[6b8n!Y.H0Ptunnelmodegremultipoint(b2P%`+@6Vtunnelkey1tunnelprotectionipsecprofile91lab!3w1`-G;_/p2b9pinterfaceLoopback0@/R#x1],X(C0pipaddr