Streszczenie treści zawartej na stronie nr. 1
SOLUTION OVERVIEW
CONFIGURING DYNAMIC MULTIPOINT VPN
WITH ON-DEMAND ROUTING
OVERVIEW
This document provides a sample configuration for configuring On-Demand Routing (ODR) with Dynamic Multipoint VPN (DMVPN) in hub to
spoke configuration. The DMVPN feature simplifies the hub router IPsec configuration and supports dynamic IP addresses at the spoke router.
DMVPN combines Generic Routing Encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). It provides IP
Streszczenie treści zawartej na stronie nr. 2
• This configuration guide uses private addresses only. When using private addresses and connecting to the Internet, an appropriate Network Address Translation (NAT) or Port Address Translation (PAT) configuration is required to provide connectivity over the Internet. • The ODR provides a default route only to the spoke, the configuration support hub and spoke topology; no split tunneling PRECAUTIONS Before configurations are made to any router, confirm the following: • The spoke rou
Streszczenie treści zawartej na stronie nr. 3
CONFIGURATION OF THE CISCO 3725 ROUTER Following are the configurations on the Hub router: Current configuration: ! version 12.3 ! hostname c3725-21 ! no aaa new-model ! ip subnet-zero ip cef ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transfo
Streszczenie treści zawartej na stronie nr. 4
tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile SDM_Profile1 ! interface FastEthernet0/0 ip address 10.0.149.221 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.20.21 255.255.255.0 duplex auto speed 100 ! router odr distribute-list 101 in ! router eigrp 1 redistribute odr metric 2000 100 255 255 1400 network 192.168.1.0 network 192.168.2.0 network 192.168.20.0 n
Streszczenie treści zawartej na stronie nr. 5
VERIFYING THE CISCO 3725 ROUTER RESULTS Normal Operation This section provides information that can be used to confirm that the configuration is working properly. c3725-21#show ip route Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2 i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-
Streszczenie treści zawartej na stronie nr. 6
IPSEC FLOW: permit 47 host 10.0.149.221 host 10.0.150.2 Active SAs: 2, origin: crypto map Inbound: #pkts dec’ed 6757 drop 0 life (KB/Sec) 4427309/2860 Outbound: #pkts enc’ed 65162 drop 1 life (KB/Sec) 4427290/2860 c3725-21#show ip protocols Routing Protocol is “nhrp” Maximum path: 0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 0) Routing Protocol is “eigrp 1” Outgoing update filter list for all interfaces is not set Inc
Streszczenie treści zawartej na stronie nr. 7
Hardware is Tunnel Internet address is 192.168.1.1/24 MTU 1514 bytes, BW 1000 Kbit, DLY 10000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.0.149.221 (FastEthernet0/0), destination UNKNOWN Tunnel protocol/transport multi-GRE/IP Key 0x186A0, sequencing disabled Checksumming of packets disabled Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (k
Streszczenie treści zawartej na stronie nr. 8
! hostname c1751-16 ! no aaa new-model ip subnet-zero ! ip cef ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA1 ! crypto ipsec profile SDM_Pr
Streszczenie treści zawartej na stronie nr. 9
tunnel source FastEthernet0/0 tunnel destination 10.0.149.221 tunnel key 100000 tunnel protection ipsec profile SDM_Profile1 ! interface Tunnel1 bandwidth 1000 ip address 192.168.2.10 255.255.255.0 ip mtu 1400 ip nhrp authentication DMPVN_BU ip nhrp map 192.168.2.1 10.0.149.220 ip nhrp network-id 100001 ip nhrp holdtime 360 ip nhrp nhs 192.168.2.1 ip nhrp server-only ip tcp adjust-mss 1360 delay 1000 cdp enable tunnel source FastEthernet0/0 tunnel destinati
Streszczenie treści zawartej na stronie nr. 10
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2 i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-IS-IS inter area, *-candidate default, U-per-user static route o-ODR, P-periodic downloaded static route Gateway of last resort is 192.168.2.1 to network 0.0.0.0 10.0.0.0/24 is subnetted, 2 subnets C 10.0.150.0 is directly connected, FastEthernet0/0 S 10.0.149.0 [1/0] via 10.0.150.207 C
Streszczenie treści zawartej na stronie nr. 11
Gateway Distance Last Update Distance: (default is 0) c1751-16#show cdp neighbor Capability Codes: R-Router, T-Trans Bridge, B-Source Route Bridge S-Switch, H-Host, I-IGMP, r-Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID c2950-xl Eth 0/0 165 S I WS-C2950G-Fas 0/6 c2950-xl Fas 0/0 165 S I WS-C2950G-Fas 0/9 c3725-21.cisco.com Tunnel0 152 R S I 3725 Tunnel0 c3745-20.cisco.com Tu
Streszczenie treści zawartej na stronie nr. 12
! resource manager ! ip subnet-zero ip cef ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA ! ! ! ! interface Tunnel0 bandwidth 1000 ip address 192.168.2.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentic
Streszczenie treści zawartej na stronie nr. 13
ip address 10.0.149.220 255.255.255.0 speed 100 full-duplex ! interface FastEthernet0/1 description $FW_INSIDE$ ip address 192.168.20.20 255.255.255.0 speed 100 full-duplex ! router odr distribute-list 101 in ! router eigrp 1 redistribute odr network 192.168.2.0 network 192.168.20.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 10.0.149.207 ! access-list 101 permit ip any 192.168.0.0 0.0.255.255 ! end CISCO 831 ROUTER CONFIGURATION Current co
Streszczenie treści zawartej na stronie nr. 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA1 ! crypto ipsec profile SDM_Profile2 set transform-set ESP-3DES-SHA ! ! interface Tunnel0 bandwidth 1000 ip address 192.168.1.11 255.255.255.0 ip mtu 1400 ip nhrp aut
Streszczenie treści zawartej na stronie nr. 15
cdp enable tunnel source Ethernet1 tunnel destination 10.0.149.220 tunnel key 100001 tunnel protection ipsec profile SDM_Profile2 ! interface Ethernet0 ip address 192.168.27.1 255.255.255.0 ! interface Ethernet1 ip address dhcp duplex auto ! ip classless ip route 10.0.149.0 255.255.255.0 dhcp ! end RELATED INFORMATION • IPsec Support Page • An Introduction to IPsec Encryption • Configuring On-Demand Routing, Release 12.2 Configuration Guide • Designing Large-
Streszczenie treści zawartej na stronie nr. 16
Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc. 170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower USA 1101 CH Amsterdam USA Singapore 068912 www.cisco.com The Netherlands www.cisco.com www.cisco.com Tel: 408 526-4000 www-europe.cisco.