Hola!
DMVPN (Dynamic Multipoint Virtual Private Network) es una forma de hacer VPNs entre múltiples sitios a través de túneles dinámicos. Esta solución utiliza, los protocolos GRE, NHRP e IPsec.
Ésta tecnología permite a las compañías conectar oficinas con la central, manteniendo los costos bajos, una configuración simple y gran flexibilidad.
En DMVPN un router central toma el rol de HUB y los demas el rol de SPOKE, éstos se conectaran al HUB. Consiste principalmente en dos diseños:
DMVPN Hub & Spoke, usado para lograr comunicar la central (HUB) con las oficinas remotas (SPOKES). DMVPN Spoke-to-Spoke, usado para interconectar oficinas remotas (SPOKES).
Veamos un ejemplo de diseño y configuración:
[HQ] ! hostname HQ ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! no ipv6 cef ip source-route ip cef ! ! no ip domain lookup ip domain name lab.local ! multilink bundle-name authenticated ! ! ! redundancy ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key prueba1 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set IPROOT esp-3des esp-md5-hmac ! crypto ipsec profile proteccion-gre set security-association lifetime seconds 86400 set transform-set IPROOT ! ! ! interface Tunnel0 description tunel mGRE-DMVPN ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp authentication auten1 ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source 174.22.15.1 tunnel mode gre multipoint tunnel protection ipsec profile proteccion-gre ! ! interface FastEthernet0/0 description LAN ip address 192.168.0.1 255.255.255.0 duplex half ! ! interface GigabitEthernet1/0 description WAN ip address 174.22.15.1 255.255.255.252 negotiation auto ! ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0 ip route 192.168.1.0 255.255.255.0 Tunnel0 ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.3.0 255.255.255.0 Tunnel0 ! ! ! control-plane ! ! ! mgcp fax t38 ecm mgcp behavior g729-variants static-pt ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! end
[B1] ! hostname B1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! no ipv6 cef ip source-route ip cef ! ! no ip domain lookup ip domain name lab.local ! multilink bundle-name authenticated ! ! redundancy ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key prueba1 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set IPROOT esp-3des esp-md5-hmac ! crypto ipsec profile proteccion-gre set security-association lifetime seconds 86400 set transform-set IPROOT ! ! interface Tunnel0 description tunel mGRE-DMVPN ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp authentication auten1 ip nhrp map multicast dynamic ip nhrp map multicast 174.22.15.1 ip nhrp map 10.0.0.1 174.22.15.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel protection ipsec profile proteccion-gre ! ! interface FastEthernet0/0 description LAN ip address 192.168.1.1 255.255.255.252 duplex half ! ! interface GigabitEthernet1/0 description WAN ip address 175.22.15.1 255.255.255.252 negotiation auto ! ! interface POS2/0 no ip address shutdown ! ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0 ip route 192.168.0.0 255.255.255.0 Tunnel0 ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.3.0 255.255.255.0 Tunnel0 ! ! control-plane ! ! ! mgcp fax t38 ecm mgcp behavior g729-variants static-pt ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! end
[B2] ! hostname B2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! no ipv6 cef ip source-route ip cef ! ! no ip domain lookup ip domain name lab.local ! multilink bundle-name authenticated ! ! redundancy ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key prueba1 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set IPROOT esp-3des esp-md5-hmac ! crypto ipsec profile proteccion-gre set security-association lifetime seconds 86400 set transform-set TS ! ! interface Tunnel0 description tunel mGRE-DMVPN ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp authentication auten1 ip nhrp map multicast dynamic ip nhrp map multicast 174.22.15.1 ip nhrp map 10.0.0.1 174.22.15.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel protection ipsec profile proteccion-gre ! ! interface FastEthernet0/0 description LAN ip address 192.168.2.1 255.255.255.252 duplex half ! ! interface GigabitEthernet1/0 description WAN ip address 176.22.15.1 255.255.255.252 negotiation auto ! ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0 ip route 192.168.0.0 255.255.255.0 tunnel0 ip route 192.168.1.0 255.255.255.0 tunnel0 ip route 192.168.3.0 255.255.255.0 tunnel0 ! ! control-plane ! ! mgcp fax t38 ecm mgcp behavior g729-variants static-pt ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! end
[B3] ! hostname B3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! no ipv6 cef ip source-route ip cef ! ! no ip domain lookup ip domain name lab.local ! multilink bundle-name authenticated ! ! redundancy ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key prueba1 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set IPROOT esp-3des esp-md5-hmac ! crypto ipsec profile proteccion-gre set security-association lifetime seconds 86400 set transform-set TS ! ! interface Tunnel0 description tunel mGRE-DMVPN ip address 10.0.0.4 255.255.255.0 no ip redirects ip nhrp authentication auten1 ip nhrp map multicast dynamic ip nhrp map multicast 174.22.15.1 ip nhrp map 10.0.0.1 174.22.15.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet1/0 tunnel mode gre multipoint tunnel protection ipsec profile proteccion-gre ! ! interface FastEthernet0/0 description LAN ip address 192.168.3.1 255.255.255.252 duplex half ! ! interface GigabitEthernet1/0 description WAN ip address 177.22.15.1 255.255.255.252 negotiation auto ! ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0 ip route 192.168.0.0 255.255.255.0 Tunnnel0 ip route 192.168.1.0 255.255.255.0 Tunnnel0 ip route 192.168.2.0 255.255.255.0 Tunnnel0 ! ! control-plane ! ! mgcp fax t38 ecm mgcp behavior g729-variants static-pt ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! end
Contacto: iproot@outlook.com
Comentarios