**Author:** 颖奇L'Amore **Blog:** www.gem-love.com 谨以此篇Lab文章感谢我的CCIE引路人——QYT.Ender(周亚军) 其中Hub-1是R1,Spoke-1是R2,Spoke-2是R4,多点GRE是SW1 ![](http://cdn1.pic.y1ng.vip/iPic/2021-12-09-073942.jpg)

一.DMVPN的四大组成部分

1.mGRE  (Multipoint Generic Routing Encapsulation) 多点通用路由封装

2.NHRP (Next Hop  Resolution Protocol)下一跳解析协议 一个二层的客户-服务器解析协议,用于映射地址(虚拟)到一个NBMA地址(物理)。

3.Dynamic Routing Protocol 动态路由协议 支持的动态路由协议有OSPFEIGRPBGPRIPODR(已淘汰) 路由比邻只在hub-to-spoke隧道上建立,spoke-to-spoke的路由逻辑由NHRP来执行,路由协议并不监控spoke-to-spoke的状态。

4.IPsec DMVPN依然是一种GRE over IPSEC技术,也是典型的传输模式。

二.DMVPN的配置

1.MGRE

①配置各个接口的物理地址并no shutdown接口 ②mGRE上将E0/1划入Vlan10,E0/2-3划入VLAN20,并配置VLAN10和20的SVI接口,SVI.vlan10的地址是61.128.1.254,SVI.VLAN20的地址是202.100.1.254( 要保证公网IP之间的连通性,因为这是前提

1
2
3
4
5
6
7
8
9
10
mGRE(config)#int e0/1
mGRE(config-if)#switchport access vlan 10
mGRE(config)#int range e0/2 - 3
mGRE(config-if-range)#switchport access vlan 20
mGRE(config)#int vlan 10
mGRE(config-if)#ip add 61.128.1.254 255.255.255.0
mGRE(config-if)#no shutdown
mGRE(config-if)#int vlan 20
mGRE(config-if)#ip add 202.100.1.254 255.255.255.0
mGRE(config-if)#no shutdown

③使用BGP完成公网可达(HubAS为100,SpokeAS为200,ISPAS为6666)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
HUB-1#sh run  s bgp
router bgp 100
neighbor 61.128.1.254 remote-as 6666

Spoke-1#sh running-config s bgp
router bgp 200
neighbor 202.100.1.254 remote-as 6666

Spoke-2#sh run s bgp
router bgp 200
neighbor 202.100.1.254 remote-as 6666

mGRE#sh run s bgp
router bgp 6666
neighbor 61.128.1.100 remote-as 100
neighbor 61.128.1.100 default-originate ---下发默认路由
neighbor 202.100.1.1 remote-as 200
neighbor 202.100.1.1 default-originate
neighbor 202.100.1.2 remote-as 200
neighbor 202.100.1.2 default-originate
④配置隧道接口 在HUB和SPOKE上:
1
2
3
interface Tunnel0 
tunnel source Ethernet0/1  ---指定更新源,这里的接口即是连接运营商的接口
tunnel mode gre multipoint ---隧道模式为MGRE

2.NHRP:将私网地址mapping成NBMA地址

HUB-1:

1
2
3
4
5
interface Tunnel0
ip address 172.16.1.100 255.255.255.0 ----配置tunnel地址
ip nhrp authentication cisco ---认证
ip nhrp map multicast dynamic   ---HUB点支持来自客户端向HUB的动态组播报文,用以支持动态路由协议
ip nhrp network-id 10  ----所有的network-ID要保持一致

Spoke:(两个spoke除了接口地址不同外,其他配置均相同)

1
2
3
4
5
6
7
interface Tunnel0
ip address 172.16.1.1 255.255.255.0 ---配置地址
ip nhrp authentication cisco ---认证
ip nhrp map 172.16.1.100 61.128.1.100  ----映射NHS(next hope server 下一跳服务器)的tunnel和NBMA地址
ip nhrp map multicast 61.128.1.100  ----映射组播包要发往的NBMA地址,不配置路由会不稳定
ip nhrp network-id 10   ---所有的network-id建议要一致
ip nhrp nhs 172.16.1.100   ---NHS地址 即hub的虚拟地址

3.动态路由协议 使用EIGRP

配置:

1
2
3
4
5
router eigrp 90
network 172.16.0.0
network 192.168.100.0 ---HUB和SPOKE都要配置 他们之间配置的唯一不同点就是身后loopback的网段宣告不同


现象:

1
2
3
4
5
6
HUB-1#p 192.168.1.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms

会发现,现在hub-spoke之间建立起了邻居,而 spoke-spoke之间却没有邻居(自然也没有路由) 解决方案:关闭水平分割,使spoke1通告到Hub后通告出去发给spoke2

1
2
HUB-1(config)#int tunnel 0
HUB-1(config-if)#no ip split-horizon eigrp 90

(注意:直接no ip split-horizon也是可以敲上去的,不过这样是针对BGPRIP 针对EIGPR要加上eigrp [AS])

192.168.2.1 source lo0 numericType escape sequence to abort.Tracing the route to 192.168.2.1VRF info: (vrf in name/id, vrf out name/id)1 172.16.1.100 \[AS 6666\] 1 msec 0 msec 2 msec2 172.16.1.2 \[AS 6666\] 6 msec \*  1 msec
1
2
3
4
5
6
```

## **4、IPSEC**

HUB、Spoke-1、Spoke-2全部如下配置:

crypto isakmp policy 10
authentication pre-share  —-预共享密钥认证
crypto isakmp key QYT address 0.0.0.0   —–因为是MA网络 所以地址0.0.0.0
crypto ipsec transform-set Trans esp-des esp-md5-hmac —–转换集
mode transport  —配置为传输模式,默认是隧道模式
crypto ipsec profile DMVPN  —profile模板做汇总
set transform-set Trans  —调用转换集
interface tunnel 0
tunnel protection ipsec profile DMVPN —tunnel接口下调用模板

1
2
3
4
5
6
7
8
9



至此,`DMVPN`配置结束 看下效果:

# ![](http://cdn1.pic.y1ng.vip/iPic/2021-12-09-074154.png) ![](http://cdn1.pic.y1ng.vip/iPic/2021-12-09-074158.png) **三.DMVPN的优化**

此时Spoke1和Spoke2通信的话,是两跳的:

Spoke-2#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.100 [AS 6666] 7 msec 6 msec 7 msec
2 172.16.1.1 [AS 6666] 6 msec

1
2
3
4
5

解决方法:

①可以hub上关闭`下一跳自我`功能:

interface Tunnel0
no ip next-hop-self eigrp 90

1
2
3

再次`traceroute`:

Spoke-2#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.1 [AS 6666] 7 msec  —-一跳抵达

1
2
3

②首先hub上tunnel0接口下:

ip nhrp redirect
ip summary-address eigrp 90 192.168.0.0 255.255.0.0  —汇总EIGRP

Spoke-1#sh ip route  eigrp
D     192.168.0.0/16 [90/27008000] via 172.16.1.100, 02:33:51, Tunnel0

1
2
3

然后spoke的接口下:

interface Tunnel0
ip nhrp shortcut

1
2
3

这样,hub会给spoke下发了汇总路由,如上所见 via是hub,当流量到达hub,hub会对他进行优化,之后spoke上会出现一条H - NHRP的路由,一跳抵达 测试:

Spoke-1# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

Spoke-1#sh ip route nhrp
H     192.168.2.0/24 [250/1] via 172.16.1.2, 00:24:22, Tunnel0

Spoke-1#traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.2 [AS 6666] 4 msec *  6 msec  一跳抵达