Mô hình mô phỏng có kiến cấu trúc mạng tương tự như hình dưới đây:
31
Thông tin cấu hình trên Router Center (Hub), sau khi đã “show run” chúng ta được:
Hostname Center
!
crypto isakmp policy 1 authentication pre-share
crypto isakmp key fetelacad address 0.0.0.0 0.0.0.0 !
crypto ipsec transform-set mytransesp-des esp-md5-hmac
modetransport
!
crypto ipsec profile dvpnprof
set transform-set mytrans
! interface Loopback0 ip address 192.168.0.1 255.255.255.0 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2
delay 1000
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dvpnprof ! interface Serial1/0 ip address 172.17.0.1 255.255.255.0 serial restart-delay 0 ! Router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 0 network 192.168.0.0 0.0.0.255 area 0
32
Thông tin các đường định tuyến của Router Center, câu lệnh “show ip route”:
Thông tin về NHRP của router Center, câu lệnh “show ip nhrp”:
Thông tin kiểm tra thuật toán, câu lệnh “show crypto engine connections active”:
Branch_2#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 172.17.0.1 Set HMAC_SHA+DES_56_CB 0 0 1 Serial1/0 172.17.0.1 Set HMAC_SHA+DES_56_CB 0 91
2000 Tunnel0 10.0.0.1 Set HMAC_MD5+DES_56_CB 0 0
2001 Tunnel0 10.0.0.1 Set HMAC_MD5+DES_56_CB 91 0
2002 Tunnel0 10.0.0.1 Set HMAC_MD5+DES_56_CB 0 86
2003 Tunnel0 10.0.0.1 Set HMAC_MD5+DES_56_CB 88 0
Center#showip route
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, Serial1/0 10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, Loopback0 192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/101] via 10.0.0.11, 00:03:40, Tunnel0 192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/101] via 10.0.0.12, 00:03:40, Tunnel0 S* 0.0.0.0/0 is directly connected, Serial1/0
Center#show ip nhrp
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:04:29, expire 00:03:38 Type: dynamic, Flags: authoritative unique registered
NBMA address: 172.17.1.2
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:04:56, expire 00:04:52 Type: dynamic, Flags: authoritative unique registered used
33
Thông tin cấu hình trên router Branch_1 (Spoke 1), câu lệnh “show run”:
Hostname Branch_1
!
crypto isakmp policy 1 authentication pre-share
crypto isakmp key fetelacad address 0.0.0.0 0.0.0.0 !
crypto ipsec transform-set mytrans esp-des esp-md5-hmac mode transport
!
crypto ipsec profile dvpnprof
set transform-set mytrans ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 ip ospf network broadcast ip ospf priority 0
delay 1000
tunnel source Ethernet1/0 tunnel mode gre multipoint tunnel key 100000
tunnel protection ipsec profile dvpnprof !
interface Ethernet1/0
ip address dhcp hostname Spoke1 !
routerospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0
34
Thông tin định tuyến của router Branch_1, câu lệnh “show ip route”:
Thông tin về NHRP của router Branch_1, trước khi có kết nối Spoke – Spoke, câu lệnh “showip nhrp”:
Thông tin về NHRP của router Branch_1, sau khi có kết nối Spoke – Spoke, câu lệnh “show ip nhrp”:
Thông tin kiểm tra thuật toán, câu lệnh “show crypto engine connections active”:
Branch_1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Tunnel0 10.0.0.11 set HMAC_SHA+DES_56_CB 0 0
2 Serial1/0 172.17.1.1 set HMAC_SHA+DES_56_CB 0 0
3 Tunnel0 10.0.0.11 set HMAC_SHA+DES_56_CB 0 0
2000 Tunnel0 10.0.0.11 set HMAC_MD5+DES_56_CB 0 84
2001 Tunnel0 10.0.0.11 set HMAC_MD5+DES_56_CB 84 0
2002 Tunnel0 10.0.0.11 set HMAC_MD5+DES_56_CB 0 5
Branch_1#show ip route
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.1.0 is directly connected, Ethernet1/0 10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0 192.168.0.0/32 is subnetted, 1 subnets
O 192.168.0.1 [110/101] via 10.0.0.1, 00:10:41, Tunnel0 C 192.168.1.0/24 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.1 [110/101] via 10.0.0.12, 00:10:41, Tunnel0 S* 0.0.0.0/0 [1/0] via 172.17.1.1
show ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:12:58, never expire Type: static, Flags: authoritative used
NBMA address: 172.17.0.1
Branch_1#show ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:14:18, never expire Type: static, Flags: authoritative used
NBMA address: 172.17.0.1
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:01:16, expire 00:03:36 Type: dynamic, Flags: router
35
Thông tin cấu hình trên router Branch_2 (Spoke 2), câu lệnh “show run”:
hostname Branch_2 !
crypto isakmp policy 1 authentication pre-share
crypto isakmp key fetelacad address 0.0.0.0 0.0.0.0 !
crypto ipsec transform-set mytrans esp-des esp-md5-hmac mode transport
!
crypto ipsec profile dvpnprof set transform-set mytrans ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.12 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 ip ospf network broadcast ip ospf priority 0
delay 1000
tunnel source Ethernet1/0 tunnel mode gre multipoint tunnel key 100000
tunnel protection ipsec profile dvpnprof ! interface Ethernet1/0 ip address 172.17.2.1 255.255.255.0 ! Router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0
36
Thông tin định tuyến của router Branch_2, câu lệnh “show ip route”:
Thông tin về NHRP của router Branch_2, trước khi có kết nối Spoke - Spoke câu lệnh “show ip nhrp”:
Thông tin về NHRP của router Branch_2, sau khi có kết nối Spoke - Spoke câu lệnh “show ip nhrp”:
Thông tin kiểm tra thuật toán trên Router Branch_2, câu lệnh “show crypto engine connections active”:
Branch_2#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Tunnel0 10.0.0.12 Set HMAC_SHA+DES_56_CB 0 0
2 Tunnel0 10.0.0.12 Set HMAC_SHA+DES_56_CB 0 0
3 Ethernet1/0 172.17.2.2 Set HMAC_SHA+DES_56_CB 0 0
2000 Tunnel0 10.0.0.12 Set HMAC_SHA+DES_56_CB 0 73
2001 Tunnel0 10.0.0.12 Set HMAC_SHA+DES_56_CB 72 0
2002 Tunnel0 10.0.0.12 Set HMAC_SHA+DES_56_CB 0 1
2003 Tunnel0 10.0.0.12 Set HMAC_SHA+DES_56_CB 0 0
Branch_2#show ip route
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.2.0 is directly connected, Ethernet1/0 10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0 192.168.0.0/32 is subnetted, 1 subnets
O 192.168.0.1 [110/101] via 10.0.0.1, 00:03:53, Tunnel0 192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/101] via 10.0.0.11, 00:03:53, Tunnel0 C 192.168.2.0/24 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 172.17.2.1
Branch_2#show ipnhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:07:57, never expire Type: static, Flags: authoritative used
NBMA address: 172.17.0.1
10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:05, expire 00:04:10 Type: dynamic, Flags: router
NBMA address: 172.17.1.2 Branch_2#show ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:06:13, never expire Type: static, Flags: authoritative used
37