dmvpn 实例 +dhcp+rtr+route-map 实用配置 上海和北京 2 个 spoke 点（ cisco831)我在机房用一台设备做 hub.公网ip 后来编辑的有点乱大家对照 top 图看吧dmvpn 配置大家都熟悉的，路由策略大家看 top 图就清楚了，不过路由怎么走，包括做的 NAT,花了我很长时间叶请教了资深的 CCIE，经过测试 ok现在拿出来和大家分享ios ver:c831-k9o3sy6-mz.124-4.T4.bin机房 hub config (相关配置）crypto isakmp policy 1authentication pre-sharecrypto isakmp key asiavest address 0.0.0.0 0.0.0.0no crypto isakmp ccmcrypto ipsec transform-set set2 esp-des esp-md5-hmac mode transport!crypto ipsec profile vpn-profset transform-set set2 !interface Tunnel1bandwidth 512ip address 10.255.255.1 255.255.255.0no ip redirectsip nat insideip nhrp authentication asiavestip nhrp map multicast dynamicip nhrp network-id 66ip nhrp holdtime 300ip virtual-reassemblyip policy route-map bj-xxxdelay 100000tunnel source FastEthernet0/1tunnel mode gre multipointtunnel key 6tunnel protection ipsec profile vpn-prof!interface FastEthernet0/0ip address 210.243.aa.xx 255.255.255.224ip nat outsideip virtual-reassemblyduplex autospeed 10!interface FastEthernet0/1ip address 210.17.bb.yy 255.255.255.224duplex autospeed auto!no ip classlessip route 0.0.0.0 0.0.0.0 210.17.bb.cccip route 192.168.1.0 255.255.255.0 10.255.255.3ip route 192.168.2.0 255.255.255.0 10.255.255.2ip route 218.242.dd.ff 255.255.255.255 210.17.bb.cccip route 222.66.94.zz 255.255.255.252 210.17.bb.ccc!ip http serverno ip http secure-serverip nat inside source list natuse interface FastEthernet0/0 overload!ip access-list extended natusepermit ip 192.168.1.0 0.0.0.255 anypermit ip 192.168.2.0 0.0.0.255 any!access-list 115 deny ip 192.168.1.0 0.0.0.255 192.0.0.0 0.255.255.255access-list 115 deny ip 192.168.2.0 0.0.0.255 192.0.0.0 0.255.255.255access-list 115 permit ip 192.168.1.0 0.0.0.255 anyaccess-list 115 permit ip 192.168.2.0 0.0.0.255 any!route-map bj-xxx permit 10match ip address 115set ip next-hop 210.243.hh.gg!北京 831 配置北京采用 adsl connect internet!no ip dhcp use vrf connectedip dhcp excluded-address 192.168.2.32 192.168.2.254!ip dhcp pool zimport allnetwork 192.168.2.0 255.255.255.0dns-server 202.145.138.200 202.145.138.1 210.82.8.1 210.82.5.1 default-router 192.168.2.254 netbios-node-type h-node!ip cefip sla 1icmp-echo 10.255.255.1 source-ip 10.255.255.2timeout 2000frequency 30ip sla schedule 1 start-time nowvpdn enable!track 1 rtr 1 reachability! !crypto isakmp policy 1authentication pre-sharecrypto isakmp key asiavest address 0.0.0.0 0.0.0.0!crypto ipsec transform-set set2 esp-des esp-md5-hmac mode transport!crypto ipsec profile vpn-profset transform-set set2 !interface Tunnel1bandwidth 512ip address 10.255.255.2 255.255.255.0no ip redirectsip nhrp authentication asiavestip nhrp map 10.255.255.1 210.17.bb.yyip nhrp map multicast 210.17.bb.yyip nhrp network-id 66ip nhrp holdtime 300ip nhrp nhs 10.255.255.1load-interval 30delay 100000tunnel source Ethernet1tunnel mode gre multipointtunnel key 6tunnel protection ipsec profile vpn-prof!interface Ethernet0ip address 192.168.2.254 255.255.255.0ip nat insideip virtual-reassemblyip tcp adjust-mss 1344ip policy route-map xxx!interface Ethernet1description WAN conn ADSL Modemip address dhcpduplex auto!interface Ethernet2no ip addressshutdown!interface FastEthernet1duplex autospeed auto!interface FastEthernet2duplex autospeed auto!interface FastEthernet3duplex autospeed auto!interface FastEthernet4duplex autospeed auto!interface Dialer1no ip address!ip classless!ip http serverno ip http secure-server!ip nat inside source list 199 interface Dialer1 overload!access-list 100 permit ip 192.168.2.0 0.0.0.255 anyaccess-list 199 permit ip 192.168.2.0 0.0.0.255 any!route-map xxx permit 10match ip address 100set ip next-hop 10.255.255.1上海-831 有固定 ipno ip dhcp use vrf connectedip dhcp excluded-address 192.168.1.1 192.168.1.10!ip dhcp pool zimport allnetwork 192.168.1.0 255.255.255.0dns-server 202.145.138.200 202.145.138.1 210.82.8.1 210.82.5.1 default-router 192.168.1.1 netbios-node-type h-node!ip cefip sla 1icmp-echo 10.255.255.1 source-ip 10.255.255.3timeout 2000frequency 30ip sla schedule 1 start-time nowvpdn enable!track 1 rtr 1 reachability! !crypto isakmp policy 1authentication pre-sharecrypto isakmp key asiavest address 0.0.0.0 0.0.0.0!crypto ipsec transform-set set2 esp-des esp-md5-hmac mode transport!crypto ipsec profile vpn-profset transform-set set2 !interface Tunnel1bandwidth 512ip address 10.255.255.3 255.255.255.0no ip redirectsip nhrp authentication asiavestip nhrp map 10.255.255.1 210.17.bb.yyyip nhrp map multicast 210.17.bb.yyyip nhrp network-id 66ip nhrp holdtime 300ip nhrp nhs 10.255.255.1load-interval 30delay 100000tunnel source Ethernet1tunnel mode gre multipointtunnel key 6tunnel protection ipsec profile vpn-prof!interface Ethernet0ip address 192.168.1.1 255.255.255.0ip nat insideip virtual-reassemblyip tcp adjust-mss 1344ip policy route-map yyy!interface Ethernet1description WAN conn ip address 222.66.aa.bb 255.255.255.252duplex auto!interface Ethernet2no ip addressshutdown!interface FastEthernet1duplex autospeed auto