现任明教教主DMVPN的3G链路备份

试验拓扑：

最近和一个Cisco的姐们聊天，她给我介绍了这样一种情况，就是一台ISR871的小路由器，上面配置了DMVPN的Spoke端，并且有两条上行链路，一条是以太网，另外一条是3G链路，3G链路主要任务是为了备份以太网。开始觉得这个应该挺简单的，但是她要求只能使用一个Tunnel口，并且3G链路由于按照流量收费，所以正常情况不能使用，只能用于备份。如何按需的修改tunnel口的源就是一个很大的问题，正常tunnel source是以太网，以太网出现问题要把tunnel source修改到3G接口。感觉很难实现，最初的时候我准备使用环回口+nat的方式来完成这个任务，但是多次调试都以失败告终。后来在非常无助的情况下，有一个再外企工作的哥们提醒了我，叫我使用sla+eem，昨天一试还真是好使，并且通过对各种超时时间的修改（多次调试后得到的结果），最终实现了两条链路的快速切换。我感觉这个题材确实很不错，准备把这个题作为Yeslab安全实验室的一套攻击思考题来使用。上面那个图就是这个攻击思考题的全图，我下面的配置仅仅只是介绍Spoke1和Hub1的DMVPN链路备份配置。要看到整套攻击思考题大家只能到Yeslab来学习了。

安全CCIE8月15日之后，已经连续一次PASS 8人了！再次祝贺他们！

DMVPN链路备份试验配置：
hostname Hub
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
! 
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile ipsecprof
set transform-set cisco
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.100.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 3
ip hold-time eigrp 100 10
no ip next-hop-self eigrp 100
ip nhrp map multicast dynamic
ip nhrp network-id 10
no ip split-horizon eigrp 100
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.100.0
no auto-summary
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
************************************************
hostname Internet
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
! 
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
! 
!
!
!
!
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 61.128.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 61.128.2.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
!
!
!
control-plane
!
!
!
! 
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
**************************************************
hostname Spoke1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
! 
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile ipsecprof
set transform-set cisco
!
!
!
!
!
track 1 rtr 1 reachability
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
--------------注意各种超时时间的配置
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 100 3
ip hold-time eigrp 100 10
ip nhrp map multicast 202.100.1.1
ip nhrp map 172.16.1.100 202.100.1.1
ip nhrp network-id 10
ip nhrp holdtime 10
ip nhrp nhs 172.16.1.100
ip nhrp registration timeout 10
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 61.128.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 61.128.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10 253 track 1
ip route 0.0.0.0 0.0.0.0 61.128.2.10 254
!
!
!
--------------SLA配置
ip sla 1
icmp-echo 61.128.1.10 source-interface FastEthernet1/0
timeout 1000
frequency 1
ip sla schedule 1 life forever start-time now
!
!
!
!
control-plane
!
!
! 
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
--------------EEM配置
event manager applet SLA-Down
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface Tunnel0"
action 1.3 cli command "shutdown"
action 1.4 cli command "tunnel source FastEthernet2/0"
event manager applet SLA-UP
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface Tunnel0"
action 1.3 cli command "shutdown"
action 1.4 cli command "tunnel source FastEthernet1/0"
event manager applet NO-SHUT-TUNNL0
event syslog pattern "Interface Tunnel0, changed state to down"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface Tunnel0"
action 1.3 cli command "no shutdown"
!
end

我的试验环境没有3G网络，所以没法配置3G，但是我给出那个姐妹给我的3G配置实例作为补充：
chat-script gsm "" "ATDT*99#" TIMEOUT 60 "CONNECT"
!
interface Cellular0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
ppp chap hostname UNINET
ppp chap password 0 UNINET
ppp ipcp dns request
!
access-list 1 permit any
dialer-list 1 protocol ip list 1
!
line 3
script dialer gsm
!

 

本文转自Yeslab教主 51CTO博客，原文链接:http://blog.51cto.com/xrmjjz/686509