DMVPN Baocao Final

NHN XT CA GIO VIN HNG DN
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

NHN XT CA GIO VIN PHN BIN
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
LI CM N
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang iii

LI CM ON
, ,
H HC , ,

C H C
,
,
C

X

Tp.HCM ngy 25/5/2011
T V

MC C
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang iv
MC LC
H X CA GIO VI HG D ........................................................ i
H X CA GIO VI H BI .......................................................... ii
I C ........................................................................................................... iii
C C ................................................................................................................. iv
C C HH .................................................................................................... viii
C C BG .................................................................................................... xi
H U ......................................................................................................... 1
U .................................................................................................................... 2
..................................................................................... 2
......................................................................................... 3
....................................................................................................... 3
...................................................................................................... 4
3. ................................................................... 4
G ........................................................................................... 4
H I DUG ..................................................................................................... 5
CHG GII HIU CG GH V V DV ................................ 6
C V ........................................................ 6
V ................................ 6
MC C
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang v
. .................................................................................................... 8
C V ......................................................................... 9
C V ............................................................. 14
V OI ............................................................................. 16
C D V ................................................... 18
CHG G CA CG GH DV .................................... 22
G I I .......................................................................... 22
I ..................................................................................... 22
I .......................................................... 23
2.1.3. IKE .......................................................................................................... 34
G G EGE ......................................... 38
G u ................................................................................................. 38
................................................................................................ 38
2.2.3. GRE header ............................................................................................. 40
GE ......................................................................................... 41
2.2.5. GRE over IPSec. ..................................................................................... 43
G H ............................................................................................ 45
G ................................................................................................. 45
C H ............................................................................... 46
MC C
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang vi
H .............................................................................. 47
C H ................................................................................ 51
C H ......................................................................... 52
CHG HO G CA DV .......................................................... 56
C DV ................................................................ 56
DV ........................................................................... 62
3.3. Cc phase DMVPN ........................................................................................ 64
3.3.1. Phase 1 - ......................................................... 64
3.3.2. Phase 2 - -to-spoke ....................................................... 66
3.3.3. Phase 3 - ............................................................... 68
........................................................... 71
3.5. Dynamic Multipoint VPN Dual Hub. ......................................................... 74
3.5.1. Dual Hub Single DMVPN Layout. ...................................................... 74
3.5.2. Dual Hub Dual DMVPN Layout. ........................................................ 75
C DV ......................................................................................... 76
3.6.1. DMVPN single Hub. ............................................................................... 78
3.6.2. Dual Hub Single DMVPN Layout ........................................................... 83
3.6.3. Dual Hub Dual DMVPN Layout. ........................................................ 86
DV .................................................................... 87
MC C
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang vii
........................................................................................................ 89
CHG HC GHI ............................................................................... 90
...................................................................................................... 90
...................................................................................................... 91
........................................................................................ 91
4.2.2.Multipoint Generic Router Encapsulation mGRE ................................ 92
................................................................ 95
......................................................... 96
4.2.5. Next Hop Resolution Protocol NHRP ................................................. 99
4.2.6. IPSec VPN ............................................................................................ 101
......................................................................................... 103
4.3. H ......................................................................... 103
........................................................................ 105
H U ................................................................................................. 109
U ............................................................................................................. 110
H CUI HA U .................................................................................. 112
HU G VI ...................................................................................... 113
I IU HA HO ....................................................................................... 116

MC C HNH
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang viii
MC LC HNH
H V ................................................................................... 7
H F V .......................................................... 9
Hh Remote Access VPN ............................................................................... 10
Hh Intranet VPN ........................................................................................... 12
H Extranet VPN ............................................................................................ 13
H V .......................................... 14
H V .............................................. 15
Hh Dyi Mutiit VPN ....................................................................... 19

H G I ....................................................................... 23
H G I ........................................................................... 24
H C AH I ................................................................. 26
H I AH ................ 28
H I AH ................ 28
H AH ....................................... 29
H X E ................................................................................... 30
H E ................................................................................. 30
H I E ............. 33
H I E ........... 33
MC C HNH
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang ix
H E .............................. 34
H IPSec phases ............................................................................................ 35
H GE ........................................................................... 41
H Point-to-Point GRE ................................................................................. 42
H Point-to-Multipoint GRE (mGRE). ......................................................... 43
Hh h dg gi ti GRE ver IPSe ..................................................... 45
H H H .................................................................................... 46
Hnh 2.18. H F H .............................................................. 47
H H ............................................. 49
H CIE......................................................................................... 49
H E ..................................................................... 50
H Q H .................................................. 53
H V H .................................................................... 54

H H-Spoke. ................................................................................... 57
H C ......................................................................................... 58
H ................................................................ 58
H A Request NHRP resolution .................................................... 59
H H H ................................................................ 59
H A B ............................................... 60
MC C HNH
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang x
H A B ............................................................ 61
H B A ............................................................. 61
H .................................................................. 62
H H EIG H ............................................................................. 64
Hh Ht g Hub d Ske trg hse .......................................... 65
Hh Ht g Ske t Ske trg hse ........................................... 67
Hh Ht g Ske t Ske trg hse ........................................... 70
Hh S kh hu gi hse v hse ......................................... 74
H DV ........................................................................... 75
H D DV ............................................................................. 76
H H ............................................................................................... 78
H D-Hub-Single Layout. ........................................................................ 83
H D H- Dual DMVPN Layout ........................................................... 86

H ........................................................................................ 90
H ........................................................................................... 91

MC C NG
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang xi
MC LC BNG
B GE ............................................................. 40
B ........................................................................................ 92
B C H 1. ........................................................................ 92
B C H 2. ........................................................................ 92
B C 1. ..................................................................... 93
B C 2. ..................................................................... 93
PHN M U
TM HIU DMVPN V CI T TH NGHIM TRN ROUTER CISCO Trang 1

PHN M U

PHN M U

M U.
1. Tnh cp thit ca d ti.
, I
, I

A WA
C I I - Internet
, C/I

V I, , , ,
, I
,

I,
V -V V ,
,
, V
ph ,

,
,

PHN M U
V
VPN yu cu hiu bit v kh o m t v cu hnh bo v
i vi mng cng cng hay Internet.
Ch tin cy khng thuc vo s u khin ca cng ty
m cn b ng bi cc ISP.
a cc nh sn xut cung cp thit b y gi c
t v .
C m kt ni phi thu nh
m mun kt ni vi nhau phi thng qua router trung tm ny m
khng th kt ni trc ti c.
D V DV
.
V DV, ,
V
D
VPN Dual-H

sau ny.
2. Mc tiu v nhim v.
M tiu.

V V
D V
DV DV D H CICO
PHN M U
Nhi v.
V
V
DV
C CICO
3. Khch th v di tung nghin cu.
C

Dynamic Multipoint VPN.
4. Gi thit nghin cu.
C

C ,

PHN NI DUNG

PHN NI DUNG
CHNG 1 GII THIU CNG NGH VPN V DMVPN
CHONG 1 : GII THIU CNG NGH VPN V
DMVPN
1.1. Cng ngh virtuaI private network(VPN)
1.1.1. hi i b v virtual private network(VPN).
n thng nhanh, an ton v tin c thnh mi quan tm ca
nhiu doanh nghi, c bit l cc doanh nghi m phn tn v mt
ng truyn ring
WA W A C ng truyn ny
gii hn t ID ng cp quang OC3 (optical carrier-3,
155Mbps). Mi m WA m thun li trn mt mng cng cng
I tin cy, hi , o m b
mt m WA, c bit khi s d ng truyn ring, c th tr nn qu
t khi doanh nghip mun m rng cc chi nhnh.
Khi tnh ph bin c I , t
n qung b v m rng cc mng m h s h B u, l cc mng
ni b I c bo mt bng mt kh c thit k cho vic s
dng ch bi cc thnh vin trong cng ty.

Hh 1 M hh VPN b
V n, mi VPN(virtual private network) l mt mng ring r s dng mt
m I kt ni cng vi cc site (cc mng ring l)
hay nhi i s dng t xa. Thay cho vic s dng bi mt kt ni thc, chuyn
d ng Leased Line, mi VPN s dng cc kt ni c d ng
Internet t mng ring ca cng ty ti cc site ca cc nhn vin t xa.
Nhng thit b u mng h tr cho mng ring o l switch, router v firewall.
Nhng thit b ny c th c qun tr bi cng ty hoc cc nh cung cp dch v
I
V c gi l mng t cch thit lp mt mng ring qua mt
mng cng cng s dng cc kt ni tm thi. Nhng kt ni bo m c thit lp
gia 2 host , gia host v mng hoc gia hai mng vi nhau
Mt VPN c th c xy dng bng cch s d ng h
VPN c th xut hin bt c l OI V ci ti
h tng m WA t ca cc mng cc
b.
u i
V -
VPN lm gi i mng cc b. Tng gi thnh ca vic s
hu mt mng VPN s c thu nh, do ch phi tr c thu
ng truyn, cc thit b m ng trc, v ho ng ca h
thng. Gi thnh cho vic kt ni LAN-to-LAN gim t 20-30% so vi vic
s d ng Leased-line truyn th C i vi vic truy cp t
gim ti t 60-80%.
VPN to ra tnh mm do cho kh Internet C V
th a tnh mm do v kh rng kin trc mng
cc mng WAN truyn th u ny gip cc doanh nghip c th
nhanh chng v hiu qu kinh t cho vic m rng hay hu b kt ni ca
cc tr s xa, cc i s d , r i tc kinh
doanh khi c nhu cu.
VPN l n ho cho vic qu cc cng vic so vi vic s hu v
vn hnh mt mng cc b. Cc doanh nghip c th cho php s dng mt
vi hay tt c cc dch v ca mng WAN, gip cc doanh nghip c th tp
chung vo i ng kinh do , mt mng WAN
hay mng quay s t xa.
VPN cung cp cc kiu m ng hm v lm gim thiu cc cng vic
qu . Mt Backbone IP s loi b cc PVC (Permanent Virtual Circuit) c
nh ng vi cc giao thc kt n F A u
ny to ra mt kiu m i hon chnh trong khi gi phc tp
v gi thnh.

Hh 2. S sh kt i Fre rey v VPN
C dg tri khi VPN
VPN nh ng vo 3 yu c
C th truy cp bt c lc no b u khin t xa, b n thoi cm
tay, v vic lin lc gia cc nhn vin ca mt t chc ti cc ti nguyn
mng.
Ni kt thng tin lin lc gi t u
khin truy nhp ti nguyn mng khi cn thit ca khch hng, nh cung cp
v nh ng quan trng ca cng ty nhm hp tc kinh doanh.
u khin truy nhp ti nguyn mng khi cn thit ca khch hng,nh
cung cp v nh i ng quan trng ca cng ty nhm hp tc kinh
doanh.
Da trn nhng nhu c , V n v phn chia
ra lm 3 phn loi chnh sau :
Remote Access VPN.
Intranet VPN.
Extranet VPN.
1.1.3.1. Remote Access VPN.
Gi ca tn gi, Remote Access VPNs cho php truy cp bt c lc
no bng Remote, mobile, v cc thit b truyn thng ca nhn vin cc chi nhnh
kt n n ti nguyn mng ca t ch c bit l nh ng
xuyn di chuyn hoc cc chi nhnh m khng c kt n ng
n mng Intranet hp tc.
Cc truy c V ng yu cu mt vi kiu phn mm client chy trn my tnh
c i s dng. Ki V c gi l VPN truy cp t xa.

Hh 3. Remote Access VPN
Bng vic trin khai Remote Access VPNs, nh i dng t xa hoc cc
c t mt kt ni cc b n nh cung cp dch v ISP
ho I O t n n ti nguyn thng qua Internet.
A V
A V c ch ng phc v.
Kh t d liu l rt cao, thm n n ca gi d liu
c th tht thot.
D phc tp ca thut ton , , u
nh xc nh , c nn d liu IP
v PPP based din ra v cng chm chp v ti t.
Do phi truyn d li I, i cc d liu ln
i d liu truyn thng, phim nh, m thanh s rt chm.
1.1.3.2. Intranet VPN.
Intranet VPNs l mt VPN ni b d bo mt cc kt ni gi a
m khc nhau ca m u ny cho php tt c m c th truy
cp cc ngun d li c php trong ton b mng ca cng ty. Cc VPN ni b
lin kt tr s , , h
tng chung s dng cc kt n c m. ho. Ki V ng
c c t VPN Site-to-Site.

Hh 4. Intranet VPN
Intranet VPN:
B trong tunnel su
cng Internet nn ,
(denial-of-service), v t m an ton thng tin.
Kh t d liu trong lc di chuy n rt cao.
Trong mt s ng hp, nht l khi d liu l loi high-, p tin
mulltimedia, vi i d liu s rt chm ch c truyn thng qua
Internet.
Do l kt ni da trn Internet, nn tnh hiu qu khng lin t, ng
, Q m bo.
1.1.3.3. Extranet VPN.
I A-based, Extranet khng hon
-, E
, , ,
E
I
E ,

E I

I E
E

Hh 5. Extranet VPN
C V ,
,
V V
Site-to- V V
V
E VN:
S a v , tn cng bng t chi dch v v n
ti.
m s xm nh i vi t chc trn Extranet.
Do da trn Internet nn khi d liu l cc lo - vi i
din ra chm chp.
Do da I, Q c b ng xuyn.
C h ht g VPN
V
V
1.1.4.1. Transport mode.
, V I I

Hh 6. h dg gi ti trg Trsrt de VPN
V I V
D ,

1.1.4.2. Tunnel mode.
, I
V I

Hh 7. h dg gi ti trg Tue de VPN
V V I
V V
V -to-site.
,
V

V
C ff V ,

C V ,

VPN v hh OSI.
V
V C

Cc giao thc ho ng Layer 2: PPTP, L2TP.
Cc giao thc ho ng Layer 3: IPSec, GRE, MPLS.
Cc giao thc ho ng Layer 4: SSL, TLS.

1.1.5.1.1 PPTP (Point-to-Point Tunneling Protocol)
f V
W, W , , E, ,
X f V
cch an ton
-to-Point)
E f -to-Point Encryption)
, -to-
Poin ,
I, IX BEUI ;
A, CHA -CHAP.
V
,
f
V
T , C
,
I
trn trong m hnh OSI.
1.1.5.1.2. L2TP (Layer 2 Tunneling Protocol)
F C
f I
f, C
-to-
, ,
I
1.1.5.2. Cc giao thc ho ng Layer 3
1.1.5.2.1. GRE (Generic Routing Encapsulating)
G GE
/
D GE

B GE I

1.1.5.2.2. MPLS (MultiProtocol Layer Switch)
V , -V

V
V
V, V
ff
,
D ,
I
1.1.5.2.3. IPSec (Internet Protocol Security)
I , V
t I f, ,
v anti- I
C I V
1.1.5.3. Cc giao thc ho ng Layer 4

H
V Tuy nhin, SSL
IEF

(thng q ,
1.2.1. Cg gh Dyi Mutiit VPN.
1.2.1.1. M n khai DMVPN
DV , ,
V I GE

Hh 1.8 Dynamic Multipoint VPN
HUB
V V I
+ GE, HUB

-to-, I
D , S HUB
I, V , I
thnh thu bao.
HUB, , A
B G HUB

CU HUB C
HUB CU ,
Khi nhu ,
C

DV V DV, ,
f WA GE -to- V
GE
, ,
I I V GE ,
HUB

HUB, GE
HUB
router HUB
, , GE
, H
, DV V

1.2.1.2. V.
D V DV
I, GE H
I ,

GE i tin
GE
H G
I
I
Cc cng I DV
,
1.2.1.3. U V V
DV I V

G

B
H DV
-to-spoke IPSec
GE H
H I
ISP)
CHNG NN TNG C CNG NGH DMVPN
CHONG 2 : NN TNG CA CNG NGH DMVPN.
2.1. Giao thc IP security(IPSec)
hi i IPSe
I I IEF I
,
,

, I
C
, ,
f, V

I
,
C
,
,

I AH A
Header) v ESP (Encapsulating Security Payload).
AH cho php xc thc ngun gc d liu, kim tra tnh ton vn d liu v
dch v ty chn chng pht li ca cc gi IP truyn gia hai h thng.
ESP l mt giao thc cung cp tnh an ton c c truyn.

I IE I E

,
,
g gi thg ti IPSe

I
thng ,
AH E

,
4 I
I I

Hh 1. Gi ti IP kiu Trsrt
I

I E
li I IEF
I-V I

I G I I
, I I
I I I

Hh 2. Gi ti IP kiu Tue
, I
I I

2.1.2.2. Giao th xc thc(AH).
2.1.2.2.1. G
G AH A H FC
FC AH
, ,
(anti-replay service).
,
Ton vn d liu l kim tra nh i ca tng gi tin IP, khng quan
n v tr cc gi trong lu ng.
C ch v chng pht li l kim tra s pht lp li mt gi tin t a ch
t ln.
AH I
, I
pht c th ,
AH
AH I AH
, AH
E, AH

2.1.2.2.2. C AH
C AH
I , I B AH
I,V
V


Hh 3. Cu tr tiu H h IPSe
AH
H ti C nhn dng loi d liu ca
phn ti tin theo sau AH. Gi tr c chn la t tp cc s giao th I
FC t.
di t C di 8 bit v ch di c AH
c din t trong cc t 32 bit, tr 2. V d ng hp ca thut ton
ton vn m mang li mt gi tr xc minh 96 bit (3x32 bit), cng vi 3 t 32
, di ny c gi tr l 4. Vi IPv6, t di ca tiu
phi l bi ca cc khi 8.
Reserved (d tr ng 16 bit ny d tr cho ng d
Security Parameters Index (SPI: ch dn thng s
di 32 bit, mang tnh cht bt buc.
Sequence Number (s th t u cha
mt gi tr m khi m c g t l ng ny c tnh
bt buc. Bn gi lun lun bao g ng ny ngay c khi bn nhn khng
s dng dch v chng pht li. B m bn gi v nh c khi to ban
, u tin c s th t l 1. Nu dch v chng pht l c s
dng, ch s ny khng th lp li, s c mt yu cu kt thc phin truyn
thng v SA s c thit lp mi tr l c khi truyn 2
32

Authentication Data (d li C c gi l ICV (Integrity
Check Value: gi tr kim tra tnh ton v i, bng s
nguyn ln c i v I i vi IPv6, v c th cha
l l bi s .

2.1.2.2.3. Q AH.
H AH
B I I

B AH ,

B G AH I
B B I ,

B B hash trong AH header.
B B AH
H
,

AH ,

2.1.2.2.3.1. Mode Transport
,
I , AH I
C, UD, IC I
I, AH I
C I, AH - - ,
-to-hop, routing v fragmentation.
C AH.

Hh 4. hu dg IPv tr v su khi x H kiu Trsrt

Hh 5. hu dg IPv tr v su khi x H kiu Trsrt
2.1.2.2.3.1. Mode Tunnel.
, I ,
I I , AH
I , I AH
I I AH

Hh 6. hu dg gi ti x H kiu Tue

2.1.2.3. Giao th i tin ESP
G
E FC FC
C AH, I G
, E
, ,

2.1.2.3.2. Cu trc gi tin ESP.
H E AH , E
D E
AH E
H

Hh .7. g gi ESP

Hh 8. hu dg gi ESP
E C
V nh
, E A
A C
ESP.
SPI (ch dn thng s an ninh): L mt s bt k 32 bit, cng v a ch IP
v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d
liu ny. Cc gi tr SPI t 0 s d ng
I c ch bi pha thu khi thit l A I ng bt
buc.
Sequence Number (s th t ng s th t ca AH
D ng d liu t ng bt buc. N bao gm
mt s ng bi i cc byte d liu gc hoc mt phn d liu yu cu
bo m c m t ng N H ha
cng vi thu ha n la trong su t lp SA.
Padding (0 255 bytes): C nhiu nguyn nhn d n s c mt ca
ng ny:
- Nu thu c s dng yu cu b (plaintext) phi l
s nguyn ln khi cc byte (v d ng h
c s d n y vo plaintext (bao gm Payload
Data, Pad Length, Next Header v Padding) c kch c theo yu
cu.
- n thi m bo phn d liu m (ciphertext)
s kt thc bin gi rng v ng
Authentication Data.
- , n c th s d che d di thc ca
Payload, tuy nhin m ch ny cn ph c cn nh n nh
ng t n truyn dn.
nh s c
thm vo. Cc gi tr ph hp l 0 , ng bt
buc.
H ti , nh kiu d liu
cha trong Payload Data, v d mt extension header trong IPv6, hoc nhn
dng ca mt giao thc lp trn khc. Gi tr c c la chn
t tp cc gi tr I i IANA. Next Header l
ng bt buc.
Authentication Data (d liu nhn th di bi i cha mt
gi tr kim tra tnh ton vn ICV tnh trn d liu ca ton b gi ESP tr
A D di c ng ny ph thuc vo thut ton
xc th c s d ng ny l ty chn, v ch c thm vo nu
dch v xc th c la ch A t ton xc thc phi
ch ICV c x t so snh cn thc hin
kim tra tnh ton vn ca gi tin.
Q E
ES ,
2.1.2.3.3.1. Mode Transport.
, I
, E I
C, UD IC I
chn vo.
I, E I
C E , , H
I, E - - ,
-to-, f C
E , E
E ,
E C I FC

Hh 9. hu dg IPv tr v su khi x ESP de Trsrt

Hh 10. hu dg IPv tr v su khi x ESP de Trsrt
2.1.2.3.3.2. Mode Tunnel.
, I ,
I I , E
I , I I
E

Hh 11. hu dg gi ti x ESP de Tue
2.1.3. IKE
IKE.
IE
I , IE

ISAKMP (The Internet Security Association and Key Management
Protocol) G ?
? ?
IA IA
i key.
O G Df-H DH
A DH

2.1.3.2. Cc phase ca IKE
IE ,
H ,
C

Hh 12. IPSec phases
IKE phase 1:
,
- DE, DE, AE
- D, HA-1)
- -shared key, RSA)
- Nhm kha Diffie-Hellman
C hai mode trong phase 1: Main mode v Aggressive mode. Trong khi
A
IE A A
IE A
Phas
IE
X E A
X

IE
I A IE
IE A
I A I A ,
,
2.1.3.3. Cc ch IKE
Main mode
ngang
C
A

Dff-H
public key

Aggressive mode
A A ,

B G , I,
Dff-Hellman.
B

B C

Quick mode
A
,

I A C Q
G I AH E
I
I A f A A
f , I A
Dff-Hellman.
I A IE A IE A
, I A
AH E,
Transport hay Tunnel mode,...
2.1.3.4. Nh a IKE
IE ,
I
DD D

, / D

A
A/A
IE f
C , I,
DNS v NetBIOS server.
X C I
X f
username/password, CHAP (Challenge Handshake Authentication Protocol),
OTP (one- /EY
2.2. Giao thc Generic Routing EncapsuIation(GRE).
2.2.1. Gii thiu
GE G E C
I
,
I C IX, A
GE
C I, GE GE
I
GE ,

,

B GE ,
I, GE
Th g
C GE -I I
, GE
GE I
ff

I ,
, , ff
, GE

GE , -byte IP header
GE GE

,
U ,
f V
CU ,
tin khc.
GE GE

V t VPN.
GE
I, GE OF EIG I
I,
I I ,
I
GE GE
, I
V , GE I ;
I I GE
IPSec)
2.2.3. GRE header
GE , GE
f
GE , ,
GE f
GE B
GE
GRE header bit
0 checksum GE

2 key GE

3 Sequence
number
GE

13-15 GRE
version
GE ; PPTP
g 2.1. Nhg ty h GRE heder
C GE C
GE
l 1.
GE

GE , GE
V , GE
,

GE
G

Bits 13- GE
GE

GE
GE H
GE I

Hh 13. h dg GRE heder
GE

2.2.4. Phn loi GRE
GE GE
qua mi
I I
GE DV GE -
to-, GE

2.2.4.1. Point-to-Point GRE
-to-point GRE:

Hh 14. Point-to-Point GRE
GE -to- &
HUB ; , HUB
, I G
,

I
Trong tunnel GRE point-to-,
, ulticast
GE -to-
GE
2.2.4.2. Point-to-Multipoint GRE (mGRE)
, GE
GE V C IO
, GE,
G H
(Next Hop Resolution Protocol)

Hnh 2.15. Point-to-Multipoint GRE (mGRE).
GE
GE BA
Frame-, A I

2.2.5. GRE over IPSec.
T
, I ,
GRE th , GE
I D ,
I GE
V GE I GE I

, I

I

f- V ,
f- GE I
[*]/ -and-
I GE ,

HUB H-and-;

, GE I ,

2.5.2.2.Ho ng
GE I GE I
C I , , C
I V GE I ,
, GE C , I
H ng gi tin GRE over IPSec:

Hh 16. h dg gi ti GRE ver IPSe
, I GE I
I G
GE GE
I C , I

I
GE I , GE
I D
, I
2.3. Giao thc NHRP
2.3.1. Gii thiu
H H DV
G FC
BA
A, F
H A A ,
BA V H,
BA BA,


Hh 17. Ht g NHRP
, / BA -
H , gi theo
tunnel R1-R2, R2- - Q
V
BA I
K H
C th g NHRP
H BA
NHRP l mt giao thc ging ARP, cho php cc Next-Hop Client (NHC)
ng nh x a ch I a ch IP NBMA ca n vi
Next-Hop Server (NHS). Nh , HC tham gia vo mng
NBMA m khng c i c H
ng h HC a ch IP trn cng v ng
hoc NHC nm sau mt rout A a ch IP physical
m ng), bi v khng th cu hnh li nh x a ch cho NHC trn
H a ch HC i.
NHRP l mt giao thc phn gii, cho php mt NHC tm ra nh x a ch
I a ch IP NBMA ca NHC khc thuc cng mng NBMA
m ng. Nh , HC giao tip trc tip vi nhau, nn
traffic khng cn ph H m vi
CU H, mng NBMA c th
l a Hub.
nh dng gi NHRP
H F, E C
FC
2.3.3.1. Phn Fixed
H F H, ,
H

Hh 18. h dg Heder Fixed NHRP
H F H
$f
ar$pro.type : l vng unsigned interger 16 bit.
$ $ ,
V
$;
$ H H

$z H
ar$chksum : standard IP checksum trn gi NHRP.
$ff H
$
$ $ H C

1 NHRP Resolution Request.
2 NHRP Resolution Reply.
3 NHRP Registration Request.
4 NHRP Registration Reply.
5 NHRP Purge Request.
6 NHRP Purge Reply.
7 NHRP Error Indication.
$ BA ,
vng afn.
$ BA ,
vng afn.
2.3.3.2. Phn Mandatory
H,
ff $ff
CIE C Ifn
Entry).
f
ID /,
BA
I /,
H,

Hh 19. h dg h Heder hug Mdtry
V CIE f, ,
BA ,

Hh 20. h dg CIE
2.3.3.3. Phn Extensions
H ,
$z $ff ,
, , Value).

Hh 21. h dg h Extesis
V H
(F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
f -stable unique src-, reqid: 1012
src NBMA: 150.1.2.2
src protocol: 10.0.0.2, dst protocol: 10.0.0.3
(C-1) code: no error(0)
prefix: 32, mtu: 1514, hd_time: 242
addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
client NBMA: 150.1.3.3
client protocol: 10.0.0.3
1) (F) F , = , = I
, I
2) (M) C ->
G ID ,
,
request thnh cng.
3) (C-1) CIE
10.0.0.3 -> f = ,

2.3.4. Cc dng gi NHRP
H
Request NHRP registr HC H
I I BA HC H
H H HC HC
AC C
Request NHRP res BA

H
H
H H HC
st NHRP resolution.
H

H H
thnh cng.
I H
H
, H H
H
-to- H
DV C H
,
H
DV
C h hot ng NHRP
2.3.5.1. Vic xy d ng mng Hub-and-Spoke
V H, BA hub-and-
HC H H C
H V , H H ,
H ,
H I BA
H I
BA H C H HC
H / ,
H


Hh 22. Qu trh gi h NHRP Registrti
H H
1. A , H
H H H A
H -> 172.17.0.1).
2. Gi request BA
(10.0.0.11 -> A,
H=
3. H A
cache NHRP.
4. H H A
E A ,
H
2.3.5.2. Vic xy d ng tunnel Spoke-to-Spoke
H , H
H HC
I, D VC F
A HC H , H
CU BA,
BA
f- ,
-mesh.
V -
BA f
-to-,
V ,
-mesh,
H H

-to-, ff -
hub- B
spoke-to-

Hh 23. Vi h Next H Server
H
BA G A I
1. A
f H V H
2. A H
D, D
3. A H , A
router D l IP next hop NBMA.
4. V A I
D,

CHNG HOT NG C DMVPN
CHONG 3 : HOAT NG CA DMVPN.
3.1. Cch thc hoat dng cu DMVPN.
, DV
C C IO f I+GE
V DV C

NHRP
- H H

-
- C H

mGRE
- C GE I
-
, I DV
DV I V,

C I H, C
H
, H
B
CHNG HOT NG C DMVPN
I
Tunnel spoke-to- mGRE.
C I A
I

Hh 1. Tunnel Hub-Spoke.

CHNG HOT NG C DMVPN
Q
1. G A

Hh 2 PC gi yu u
2. Spoke A tra cu b nh tuyn c tm m Bng
nh tuy a ch next-hop l 10.0.0.12 thng qua interface tunnel 0
ca Spoke A.

Hh 3 Ske tr u bg h tuy
CHNG HOT NG C DMVPN
3. Spoke A tra bng nh x NHRP c
c entry nh x no. V th n gi mt gi request NHRP resolution ti
H phn gi a ch 10.0.0.12.

Hh 4 Ske gi Request NHRP resolution
4. NHS phn gi a ch a ch public 172.16.2.1. Sau
i reply NHRP resolution ti spoke A.

Hh 5. Hub gi rey NHRP resuti
CHNG HOT NG C DMVPN
5. Spoke A nh H ng NHRP c u
ny kch ho I to tunnel trc tip t A
a ch public cho IPSec thit b ngang hng (peer).

Hh 6 Ske t Tue tr ti vi Ske
CHNG HOT NG C DMVPN
6. B B, A
poke B.L ff

Hh 7 Ske gi d iu u Ske
7. C B
, A B
A A B

Hh 8 Ske gi d iu h Ske
CHNG HOT NG C DMVPN
8. , H , I
lm down tunnel spoke-to-

Hh 9 Tue khi h ht tie ut
3.2. [nh Tuyn trong DMVPN.
DV -to-
, H
H
H
C
EIGRP
- H- -Spoke.
- D , ,
OSPF
CHNG HOT NG C DMVPN
- H-
- , ,
RIP.
- H- -
- D , ,
ORD.
- H-,
Spoke-Spoke.
- , , ,

BGP.
- H- -
- D , , ,
EIG I -z GE H

OF, -to- GE
mGRE.
EIG
H
H
H EIG

CHNG HOT NG C DMVPN

Hh 10. Hub gi EIGRP Hello

H V con trn Hub
(192.168.0.0 ->
GE ,

3.3. Cc phase DMVPN
C DV -
to-
3.3.1. Phase 1 - Th g hub d ske
, GE H H
B , I H H. Tuy
, GE -to- I
CHNG HOT NG C DMVPN
H, H
H Hb
, H
Phase ny khng dng cc tunnel spoke-to- C
-to- H
BA H H G
H ,
H

Hh 11. Ht g Hub d Ske trg hse
, HC -
to- H I H H
H BA,
H -> 172.17.0.1).
1. A I BA ->
H
CHNG HOT NG C DMVPN
2. H -> A

3. H
A B H
4. B A
3.3.2. Phase 2 - Th g ske-to-spoke
H -to-
H ,
-hub- BA
Trong phase ny, NHRP lm tunnel NHC-to-H

H I

IP next hop I
H H I
H H
H I -
I G H

,

H

V
CHNG HOT NG C DMVPN

Hh 12. Ht g Ske t Ske trg hse

, -to-
GE C
-> H BA A
l 10.0.0.11 -> H H
H , A
/ sau Spoke B.
1. A
/ B
2. V H ,

3. Spoke A H H
CHNG HOT NG C DMVPN
4. H H H
A -> 172.16.2.1).
5. A H
6. Spoke A xy I B
BA B
7. B
3.3.3. Phase 3 - Kin trc v m rng
H HC-to-H
H H
H
I
ti H ,
H
H D
H poke
H
, D H H
H I
H
H H
I H
H BA
I H
H
CHNG HOT NG C DMVPN
H H
H , -to-
H -to-

H
H H C

H BA H
H
, H ,
D ff
trn tunnel spoke-to- H
CHNG HOT NG C DMVPN

Hh 13. Ht g Ske t Ske trg hse
, A
B
1. Spoke A tra H -hop v l lng

2. H A
host trong N2.
3. H H
4. H B H H
DV ff
CHNG HOT NG C DMVPN
H A H I

5. B
6. A ff H H
7. A ff H H
I ,
H
8. Request NHRP resolut A - Hub 1 - Spoke B.
H
B
9. B I
DV
10. Spoke B xy I A H
A H
f
B
11. Spoke A nh H
C
B
C -TS2, N2-
khi tunnel Spoke-to-
3.4. S khc nhau gia phase 3 v phase 2
DV H H
I I
CHNG HOT NG C DMVPN
DV I H dng cc gi NHRP registration.
ff ,
H H H BA
H H
tunnel spoke-to-

H
spoke-to-,
IP next- I V

Hub v Spoke.
OF
V DV ,
D BD,
D BD
O-Demand Routing (ODR), giao
f-route 0./ I - ,
-to-spoke.
DV, H
C H H , H

H H , H
-to-spoke.
V DV H- , H
H DV
CHNG HOT NG C DMVPN
,
H -to- ,

DV
E H
DV
C z H
C I
H
G H
C H
H
H H
C OF,
I H,
OF - C OF
point- D BD
Hub.
C OD
-to-
C DV
(tree- C ke-to-
DV
C CEF
khi tunnel spoke-to-
CHNG HOT NG C DMVPN

Hh 14. S kh hu gi hse v cc phase 2

3.5. Dynamic Multipoint VPN Dual Hub.
C D V Dual Hub:
Dual Hub Single DMVPN Layout.
Dual Hub Dual DMVPN Layout.
3.5.1. Dual Hub Single DMVPN Layout.
D H DV
D H Dual DMVPN Layout.
DV H
H
CHNG HOT NG C DMVPN

Hh 15. Single DMVPN Layout
H- H-1.
V H B
H H ff

H ff
f V
D H D DV
DMVPN.
3.5.2. Dual Hub Dual DMVPN Layout.
H
ip address ...,
i hr etwrkid , tunnel key ... tunnel destination.
CHNG HOT NG C DMVPN

Hh 16. Dual DMVPN Layout
V ff
f
D H DV V

3.6. Cu hnh DMVPN.
GE I H ,
I f I GE
IPSec.
Cu hh IPSe Prfie
I f, f
crypto IPSec transform-set.
CHNG HOT NG C DMVPN
C I f
(1) Router(config)# crypto IPSec profile name
(2) Router(config-crypto-map)# set transform-set
(3) Router(config-crypto-map)# set security association lifetime {
seconds seconds | kilobyte kilobyte }
(4) Router(config-crypto-map)# set identity
(5) Router(config-crypto-map)# set pfs [ group1 | group2 ]
I
I H
name I f
f I f
transform-set-name f
O
IPSec profile.
O f I f
seconds seconds A ,
kilobyte kilobyte ff
I A seconds l 3600 giy.
O I F f
A I f
I - DH DH ,
-bit DH.
CHNG HOT NG C DMVPN
3.6.1. DMVPN single Hub.

Hh 17.Single Hub.
Cu hh DMVPN hub
GE I
I f
(1) Router(config)# interface tunnel number
(2) Router(config-if)# ip address ip-address mask [ secondary ]
(3) Router(config-if)# ip mtu byte
(4) Router(config-if)# ip nhrp authentication string
(5) Router(config-if)# ip nhrp map multicast dynamic
(6) Router(config-if)# ip nhrp network-id number
CHNG HOT NG C DMVPN
(7) Router(config-if)# ip nhrp redirect
(8) Router(config-if)# tunnel source { ip-address | type number }
(9) Router(config-if)# tunnel key key-number
(10) Router(config-if)# tunnel mode gre multipoint
(11) Router(config-if)# tunnel protection IPSec profile name
(12) Router(config-if)# bandwidth kbps
(13) Router(config-if)# ip tcp adjust-mss max-segment-size
(14) Router(config-if)# ip nhrp holdtime seconds
(15) Router(config-if)# delay number
f fation interface. Name
f f
I f H
DV
U I
interface.
f H C
H H DV

H
NHRP.
ID GE
ID
CHNG HOT NG C DMVPN
ID GE,
H number , number

ff ff
NHRP (dng cho phase 3).
f
O ID f key-number c gi
H
DV
GE f
I f name I
profile, name name crypto IPSec profile.
f G ,
EIG
z C
I U
, C I
f
BA
NHRP response, y (2

O EIG
, number
Cu hh DMVPN ske
CHNG HOT NG C DMVPN
GE I

(1) Router(config)# interface tunnel number
(2) Router(config-if)# ip address ip-address mask [ secondary ]
(3) Router(config-if)# ip mtu byte
(4) Router(config-if)# ip nhrp authentication string
(5) Router(config-if)# ip nhrp map hub-tunnel-ip-address hub-physical-
ip-address
(6) Router(config-if)# ip nhrp map multicast hub-physical-ip-address
(7) Router(config-if)# ip nhrp nhs hub-tunnel-ip-address
(8) Router(config-if)# ip nhrp network-id number
(9) Router(config-if)# ip nhrp shortcut
(10) Router(config-if)# ip nhrp redirect
(11) Router (config-if)# tunnel source { ip-address | type number }
(12) Router (config-if)# tunnel key key-number
(13) Router(config-if)# tunnel mode gre multipoint
Router(config-if)# tunnel destination hub-physical-ip-address
(14) Router(config-if)# tunnel protection IPSec profile name
(15) Router(config-if)# bandwidth kbps
(16) Router(config-if)# ip tcp adjust-mss max-segment-size
CHNG HOT NG C DMVPN
(17) Router(config-if)# ip nhrp holdtime seconds
(18) Router(config-if)# delay number
I-to-BA
BA
H
H D GE
point-to-point.
H C H H
h (9) f dng cho phase 3).
h (0) ff redirect ff
NHRP (dng cho phase 3).
h () ff ff spoke-to-spoke
(dng cho phase 2 tr v sau, ff
tunnel hub-to-spoke (dng cho phase 1).
C H
V H
OSPF.
H D D OF
H
Hub: ip ospf priority 2
Spoke: ip ospf priority 0

CHNG HOT NG C DMVPN
3.6.2. Dual Hub Single DMVPN Layout

Hh 18. Dual-Hub-Single Layout.
C H H DV H
C H H C
Dual Hub DV H H ,
H H
H
(1) Router(config-if)# ip nhrp map hub-tunnel-ip-address hub-physical-
ip-address
(2) Router(config-if)# ip nhrp map multicast hub-physical-ip-address
(3) Router(config-if)# ip nhrp nhs hub-tunnel-ip-address
CHNG HOT NG C DMVPN

I-to-BA H
BA
H
H D GE
point-to-point.
H C H H H
2.
C DV H
H H next hop
server(NHS).
V :
Original:
ip nhrp map multicast 172.17.0.1
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp nhs 10.0.0.1
New:
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map 10.0.0.2 172.17.0.5
CHNG HOT NG C DMVPN
H H OF
f
Hub1:
interface tunnel0
...
ip ospf cost 10
...
Hub2:
interface tunnel0
...
ip ospf cost 20
...
H
ff.
V H H ff
V D H D DV

CHNG HOT NG C DMVPN
3.6.3. Dual Hub Dual DMVPN Layout.

Hh 19. Dual Hub- Dual DMVPN Layout
H H
H DV
IP subnet (10.0.0.0/24, 10.0.0.1/24)
NHRP network id (100000, 100001)
Tunnel key (100000, 100001)
C
GE f, ip address
..., i hr etwrkid , tunnel key ... tunnel destination

V ff
H H
CHNG HOT NG C DMVPN
EIG

1. C delay tunnel interfaces
V ,
2. ffsetist <> ut <ffset> <iterfe>
H.
3.6.4. Kim tra cu hnh DMVPN
DV DV
DV DV
(1) clear dmvpn session [thit b ngang hng (peer)
{nbma | tunnel} ip-address] [ interface {tunnel
number}] [vrf vrf-name] [static]
(2) clear dmvpn statistics [thit b ngang hng (peer)
{nbma | tunnel} ip-address] [interface {tunnel
number}] [vrf vrf-name]
(3) no ip nhrp map
(4) clear ip nhrp
(5) debug dmvpn {[{condition [unmatched] | [thit b
ngang hng (peer) [nbma | tunnel {ip-address}]] |
[vrf {vrf-name}] | [interface {tunnel number}]}] |
[{error | detail | packet | all} {nhrp | crypto |
tunnel | socket | all}]}
(6) debug nhrp
(7) debug nhrp options
(8) debug nhrp rate
(9) debug nhrp error
(10) logging dmvpn [rate-limit seconds]
(11) show crypto IPSec sa [active | standby]
CHNG HOT NG C DMVPN
(12) show crypto isakmp sa
(13) show crypto ma
(14) show dmvpn [thit b ngang hng (peer) [nbma |
tunnel {ip-address}] | [network {ip-address}
{mask}]] [vrf {vrf-name}] [interface {tunnel
number}] [detail] [static] [debug-condition]
(15) show ip nhrp [dynamic | static] [interface-type
interface-number]
(16) show ip nhrp traffic
(17) show ip nhrp nhs [detail]
DV
lin quan DMVPN.

DV C DV
cao l : Error level, Detail level v Packet level.
, , H
H
DV
A
IE A

CHNG HOT NG C DMVPN

H
f
tin traffic NHRP.
H
3.7. Tng kt.
V
DV , DV
hub and spoke, ff
H V H,
DV
ff spoke-to-spoke
H
D ,
DV
,
H, H
V khng

CHNG THC NGHIM
CHONG 4 : THC NGHIM
4.1. Tng quan.
C

C ,
H

D
V D H

Hh 1 Tgy vt
CHNG THC NGHIM
4.2. Trin khai.

Hh 2 M hh gi
DV V dynamic-mesh
H C DV GE, H I

a ch
/
phng trung tm), / /
phng chi nhnh).
I I, H

CHNG THC NGHIM
Network Addresses
central site 192.168.0.0/24
site 1 192.168.1.0/24
site 2 192.168.2.0/24
DMVPN 1 10.0.0.0/24
DMVPN 2 10.0.1.0/24
link subnet between Hub Internet 172.16.0.0/30
H I 172.16.0.4/30
link between SpokeA and Internet 172.16.0.8/30
link between SpokeB and Internet 172.16.0.12/30
g 1 h
4.2.2.Multipoint Generic Router Encapsulation mGRE
Router Hub 1

Interface tunnel 0
Ip /mask 10.0.0.1/26
Source IP S0/1
Dest IP -
Tunnel type GRE multipoint
g 2 Cu hh Tue Hub 1.

Router Hub 2

Interface tunnel 0
Ip /mask 10.0.1.1/26
Source IP S0/1
Dest IP -
g 3. Cu hh Tue Hub 2.

CHNG THC NGHIM

Router Spoke 1

Interface tunnel 0
Ip /mask 10.0.0.2/26
Source IP S1/0
Dest IP -
Interface tunnel 1 Ip /mask 10.0.1.2/26
Source IP S1/0
Dest IP -
g 4 Cu hh Tue Ske 1.
Router Spoke 2

Interface tunnel 0
Ip /mask 10.0.0.3/26
Source IP S0/1
Dest IP -
Interface tunnel 1 Ip /mask 10.0.1.3/26
Source IP S0/1
Dest IP -
g 5 Cu hh Tue Ske 2.

GE point-to-point H point-
to-point GE,
I C
H H ,
CU
IDB (Interface Descriptor Block) ring.
point-to-point l multipoint GE GE,
f GE ,
IDB, f f H
CHNG THC NGHIM
-GE
Hub 1:
interface Tunnel 0
ip address 10.0.0.1 255.255.255.0
!! Gi mGRE s c ng gi ra ngoi interface vt l
tunnel source Serial0/1
!! M mGRE
tunnel mode gre multipoint
!! Key nhn dng tunnel, khp vi NHRP network-id
tunnel key 1
Hub 2:
interface Tunnel 0
ip address 10.0.0.1 255.255.255.0
!! Gi mGRE s c ng gi ra ngoi interface vt l
!! M mGRE
!! Key nhn dng tunnel, khp vi NHRP network-id
tunnel key 2
Spoke 1:
interface Tunnel 0
ip address 10.0.0.2 255.255.255.0
CHNG THC NGHIM
tunnel key 1
interface Tunnel 1
ip address 10.0.1.2 255.255.255.0
tunnel key 2

Spoke 1:
interface Tunnel 0
ip address 10.0.0.3 255.255.255.0
tunnel key 1
interface Tunnel 1
ip address 10.0.1.3 255.255.255.0
tunnel key 2
nh tuy th (stti rutig)
Hub 1 :
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 10.0.0.0 255.255.255.0 Serial0/1
CHNG THC NGHIM
Hub 2 :
ip route 0.0.0.0 0.0.0.0 172.16.0.5
ip route 10.0.1.0 255.255.255.0 Serial0/1
spoke 1:
!! Chuyn tt c cc traffic ti next-hop l ISP
ip route 0.0.0.0 0.0.0.0 172.16.0.9
spoke 2:
!! Chuyn tt c cc traffic ti next-hop l ISP
ip route 0.0.0.0 0.0.0.0 172.16.0.13
nh tuy ng (dynamic routing)
V

EIG
C G /
C -horizon.
GE
H , H ff

1. C delay tunnel interfaces
V ,
2. ffsetist <> ut <ffset> <iterfe>
H
Hub 1:
CHNG THC NGHIM
interface Tunnel 0
delay 1000
no ip split-horizon eigrp 1
tunnel key 100000
router eigrp 1
!! qung b mng mGRE
network 10.0.0.0 0.0.0.255
!! qung b mng cc b
network 192.168.0.0
Hub 2:
interface Tunnel 0
delay 1000
no ip split-horizon eigrp 1
tunnel key 100001
router eigrp 1
!! qung b mng mGRE
network 10.0.1.0 0.0.0.255
!! qung b mng cc b
network 192.168.0.0
Spoke 1:
interface Tunnel 0
delay 1500
tunnel key 100000

CHNG THC NGHIM
interface Tunnel 1
delay 1000
tunnel key 100001

router eigrp 1
offsetlist 1 out 12800 Tunnel1
!! qung b mng mGRE
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
!! qung b mng cc b
network 192.168.1.0

Spoke 1:
interface Tunnel 0
delay 1500
tunnel key 100000

interface Tunnel 1
delay 1000
tunnel key 100001

router eigrp 1
offsetlist 1 out 12800 Tunnel1
!! qung b mng mGRE
CHNG THC NGHIM
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
!! qung b mng cc b
network 192.168.2.0
4.2.5. Next Hop Resolution Protocol NHRP
, H
network- H C H

D H -, H
, H
H I I
/ H
I H
Hub 1:
interface Tunnel 0
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 100000
Hub 2:
interface Tunnel 0
ip nhrp authentication cisco1
ip nhrp map multicast dynamic
Spoke 1:
CHNG THC NGHIM
interface Tunnel 0
ip nhrp map 10.0.0.1 172.16.0.1

interface Tunnel 1
ip nhrp map 10.0.1.1 172.16.0.5
Spoke 1:
interface Tunnel 0
ip nhrp map 10.0.0.1 172.16.0.1

interface Tunnel 1
CHNG THC NGHIM
ip nhrp map 10.0.1.1 172.16.0.5
4.2.6. IPSec VPN
C I
f I GE
PHASE 1
Cc tham s IKE
IKE seq 1
Authentication pre-shared
Encryption 3des
DH 2
Hash Sha
Lifetime 86400
Preshared Key cisco
Addr. -
PHASE 2
Profile MyIPSecProfile
Transform set MyTransform esp-3des esp-sha-hmac -
Mode Transport
!! IKE phase1 - ISAKMP
crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
CHNG THC NGHIM
!! IKE phase2 - IPSec
crypto IPSec transform-set MyTransform esp-3des esp-sha-hmac
mode transport
!! nh ngha profile IPSec
crypto IPSec profile MyIPSecProfile
set transform-set MyTransform
Hub 1 :
!! ng gi IPSec bn trong mGRE
interface Tunnel 0
tunnel protection IPSec profile IPSecProfile
Hub 2 :
interface Tunnel 0
Spoke 1 :
interface Tunnel 0
interface Tunnel 1
Spoke 2 :
interface Tunnel 0
CHNG THC NGHIM
interface Tunnel 1

4.3. Kim tra cu hnh
i tr u hh Hub
, f 0/ /
sh ip interface brief :
Hub_1#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.0.1 YES NVRAM up up
Serial0/0 172.16.0.1 YES NVRAM up up
Tunnel0 10.0.0.1 YES NVRAM up up
D sh ip nhrp
I I BA H H
Hub_1#sh ip nhrp
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:10:41, expire
01:49:18
Type: dynamic, Flags: unique registered
NBMA address: 172.16.0.9
01:49:17
Type: dynamic, Flags: unique registered
D sh ip route
CHNG THC NGHIM
Hub_1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2
- IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.0.2 to network 0.0.0.0

172.16.0.0/30 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Serial0/0
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, FastEthernet0/0
D 192.168.1.0/24 [90/2944000] via 10.0.0.2, 00:04:18,
Tunnel0
D 192.168.2.0/24 [90/2944000] via 10.0.0.3, 00:04:16,
Tunnel0
S* 0.0.0.0/0 [1/0] via 172.16.0.2

D ping
Hub_1#ping 192.168.1.1
CHNG THC NGHIM
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
128/144/172 ms
i tr u hh ske

SPOKE_2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2
- IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.0.14 to network 0.0.0.0
C 172.16.0.12 is directly connected, Serial0/0
D 192.168.0.0/24 [90/2969600] via 10.0.1.1, 00:11:58,
Tunnel1
CHNG THC NGHIM
[90/2969600] via 10.0.0.1, 00:11:58,
Tunnel0
D 192.168.1.0/24 [90/3328000] via 10.0.0.2, 00:11:58,
Tunnel0
C 192.168.2.0/24 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 172.16.0.14

nh ping
,
- D debug nhrp v
debug nhrp packet
Spoke_1#debug nhrp
NHRP protocol debugging is on
SpokeA#debug nhrp packet
NHRP activity debugging is on
A request NHRP resolution B
A
cho ip tunnel ny.
Spoke_1#
NHRP: Attempting to send packet via DEST 10.0.0.3
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size:
81
src: 10.0.0.2, dst: 10.0.0.3
(M) flags: "router auth src-stable", reqid: 994
src NBMA: 172.16.0.9
CHNG THC NGHIM
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0,
pref: 0
NHRP: Encapsulation failed for destination 10.0.0.3 out
Tunnel0
, A request NHRP resolution H
BA
Spoke_1#
NHRP: Attempting to send packet via NHS 10.0.0.1
NHRP: Encapsulation succeeded. Tunnel IP addr 172.16.0.5
NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size:
81
src: 10.0.0.2, dst: 10.0.0.1
(M) flags: "router auth src-stable", reqid: 994
src NBMA: 172.16.0.9
pref: 0
NHRP: 81 byte out Tunnel0
H reply NHRP resolution A
10.0.0.3. Gi reply ,
CIE
Hub_1#
CHNG THC NGHIM
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size:
109
src: 10.0.0.1, dst: 10.0.0.2
(M) flags: "router auth dst-stable unique src-stable",
reqid: 994
src NBMA: 172.16.0.9
pref: 0
client NBMA: 172.16.0.13
client protocol: 10.0.0.3
NHRP: 109 byte out Tunnel0

H
, ff

SPOKE_1#sh ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:46:43, never
expire
Type: static, Flags: authoritative used
00:00:54
Type: dynamic, Flags: router
PHN T UN

PHN KT LUN

PHN T UN
KT LUN
H DV I V

BA DV I, GE
H DV ,

I
DV,
V ,
DV
I ,
GE ,
H
, H DV
,
DV G

, DV V ,
,
Q DV, DV A,
H, DV H
DV
V ,
,

, ,
Q ,
PHN T UN
DV V
,

PHN CUI H UN

PHN CUI KHA LUN

PHN CUI H UN
THUT NG VIT TT

3DES (Triple DES)
ACL (Acess Control List)
AES (Advanced Encryption Standard)
AH (Authentication Header)
ARP (Address Resolution Protocol)
ATM (Asynchronous Transfer Mode)
CEF C E V
CHAP (Challenge Handshake
Authentication Protocol)
CIE (Client Information Entry)
CPU (Central Processing Unit)
DES (Data Encryption Standard)
DNS (Domain Name System)
DH (Diffie-Hellman)
DMVPN (Dynamic Multipoint
Virtual Private Network)
DPD D
detection)
EIGRP (Enhanced Interior Gateway
Routing Protocol)
ESP (Encapsulating Security Payload)
FIB V If
Base)
GRE (Generic Routing
Encapsulation)
HTTPS (Hypertext Transfer Protocol
over Secure Socket Layer)
HMAC (Hash-based Message
Authentication Code)
ID (Identification)
IDB (Interface Descriptor Block)
IKE (Internet Key Exchange)
IP (Internet Protocol)
IPSec (Internet Protocol Security)
ISAKMP (The Internet Security
Association and Key Management
Protocol)
PHN CUI H UN
IETF (Internet Engineering Task
Force)
IPv4 (Internet Protocol version 4)
ISP (Internet Service Provide)
IOS (Internetwork Operating System)
L2F V
L2TP (Layer 2 Tunnel Protocol)
mGRE (multipoint Generic Routing
Encapsulation)
MSS (maximum segment size)
MPLS (Multiprotocol Label
Switching)
MPPE (Microsoft Point-to-Point
Encryption)
MTU (Maximum Transfer Unit)
NBMA (Nonbroadcast Multiaccess)
NetBIOS (Network Basic
Input/Output System)
NHC (Next Hop Client)
NHS (Next Hop Server)
NHRP (Next Hop Resolution
Protocol)
NAT (Network Address Translation)
NAS (Network Attached Storage)
ODR (On-Demand Routing )
OSI (Open Systems Interconnection
Reference Model)
OTP (one-time password)
OSPF (Open Shortest Path First)
PAT (Port Address Translation)
PFS f
PPTP (Point-to-Point Tunneling
Protocol)
RIB (Routing Information Base)
RIP (Routing Information Protocol)
RFC (Request For Comment)
RSA (Rivest, Shamir, and Adelman)
SVC (Switched Virtual Circuit)
SSL (Secure Sockets Layer)
S/KEY (secure key)
PHN CUI H UN
SA (Security Association)
SHA-1 (Secure Hash Algorithm 1)
TLS (Transport Layer Security)
TCP/IP (Transmission Control
Protocol/Internet Protocol)
UDP (User Datagram Protocol)
VPN (Virtual Private Network)
VPDN (Virtual Private Dialup
Network)
Xauth (Extended Authentication)
PHN CUI H UN
T HIU V V I T TH GHI TR ROUTER ISO 116
TI LIU THAM KHO
[1]. http://cciethebeginning.wordpress.com/tag/dmvpn/
[2]. http://www.cisco.com/go/dmvpn
[3]. http://tools.ietf.org/html/rfc2332
[4]. http://vnpro.com
[5].http://blog.internetworkexpert.com/2008/08/02/dmvpn-explained/
[6].http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_nhrp.html
[7].http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhr
p_ps6350_TSD_Products_Configuration_Guide_Chapter.html
[8].http://www.search.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgrei
ps.htm
[] B Q, Q , Tm hiu cng ngh VPN v ci t
trn thit b Cisco,
[10]. Jon C.Snader, VPNs Illustrated - Tunnels, VPNs, and IPSec, Addison Wesley
Professional, 2005, chapter 5
[11]. Brian Morgan, CCIE No.6865 and Neil Lovering, CCIE No. 1772, CCNP
ISCW Official Exam Certification Guide, Cisco Press, 197 - 443
[12]. Greg Bastien, Sara Nasseh and Christian Abera Degu, CCSP SNRS Exam
Certification Guide, Cisco Press,2005, chapter 19- 22
[13]. Mark Lewis - CCIE No. 6280, Comparing, Designing and Deploying VPNs,
Cisco Press, 2006, chapter 1, 4
PHN CUI H UN
T HIU V V I T TH GHI TR ROUTER ISO 117
[14]. James Henry Carmouche - CCIE No. 6085, IPSec Virtual Private Network
Fundamentals, Cisco Press, 2006, chapter 1- 4
[15]. Vijay Bollapragada, Mohamed Khalid, Scot Wainner, IPSec VPN Design,
Cisco Press, 2005, chapter 1-2
[16]. Richard Deal, The Complete Cisco VPN Configuration Guide, Cisco Press,
2005, chapter 1-5
[17]. Anne Henmi, Firewall Policies and VPN Configurations, Syspress, 267-270

DMVPN Baocao Final

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

DMVPN Baocao Final

Cargado por

Copyright:

Formatos disponibles

NHN XT CA GIO VIN HNG DN

También podría gustarte