In this previous session, we discussed MPLS, DMVPN basic to advance, and IPSec. I am assuming you are familiar with these topics. in this section are going to configure IPsec Over DMVPN.
1. Introduction of MPLS
2.What is MPLS Label distributing protocol (LDP) ? How LDP works?
3.how to configure MPLS LDP Peering ?
4.What is MPLS L3 VPN ? How to configure?
5.How to configure MPLS L3 VPN with RIPv2 ?
6.How to configure MPLS L3 VPN with EIGRP ?
7.How to configure MPLS L3 VPN with OSPF ?
8.What is OSPF Sham Links? how to configure OSPF Sham Links?
let's see the configuration:-
Topology:-
R1(config)#interface serial 4/0
R1(config-if)#ip address 12.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R2(config)#interface serial 4/0
R2(config-if)#ip address 12.1.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 4/1
R2(config-if)#ip address 23.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 20.1.1.1 255.255.255.0
R2(config-if)#no keepalive
R2(config-if)#exit
R2(config)#interface serial 4/2
R2(config-if)#ip address 24.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 4/1
R2(config-if)#ip address 23.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R3(config)#interface serial 4/1
R3(config-if)#ip address 23.1.1.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface loopback 0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#exit
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 30.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit
R4(config)#interface serial 4/2
R4(config-if)#ip address 24.1.1.2 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface fastEthernet 0/0
R4(config-if)#ip address 40.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
R4(config)#interface loopback 0
R4(config-if)#ip address 192.168.30.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
R1(config)#exit
R2(config)#ip route 192.168.10.0 255.255.255.0 12.1.1.1.
R2(config)#ip route 10.1.1.0 255.255.255.0 12.1.1.1
R2(config)#ip route 192.168.30.0 255.255.255.0 23.1.1.2
R2(config)#ip route 30.1.1.0 255.255.255.0 23.1.1.2
R2(config)#ip route 40.1.1.0 255.255.255.0 24.1.1.2
R2(config)#ip route 192.168.40.0 255.255.255.0 24.1.1.2
R2(config)#ip route 24.1.1.0 255.255.255.0 24.1.1.2
R2(config)#ip route 23.1.1.0 255.255.255.0 2.1.1.2
R2(config)#ip route 23.1.1.0 255.255.255.0 23.1.1.2
R2(config)#ip route 12.1.1.0 255.255.255.0 12.1.1.1
R2(config)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.1
R3(config)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 24.1.1.1
R4(config)#exit
R1(config)#interface tunnel 4321
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#tunnel source 12.1.1.1
R1(config-if)#tunnel mode gre multipoint
*Oct 23 15:53:38.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up
R1(config-if)#ip nhrp network-id 1
R1(config-if)#exit
R3(config)#interface tunnel 4321
*Oct 23 15:53:52.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to down
R3(config-if)#ip address 192.168.1.3 255.255.255.0
R3(config-if)#tunnel source 23.1.1.2
R3(config-if)#tunnel destination 12.1.1.1
*Oct 23 15:54:23.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up
R3(config-if)#ip nhrp network-id 2
R3(config-if)#ip nhrp nhs 192.168.1.1
R3(config-if)#ip nhrp map 192.168.1.1 12.1.1.1
R3(config-if)#exit
R4(config)#interface tunnel 4321
*Oct 23 15:55:05.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to down
R4(config-if)#ip address 192.168.1.4 255.255.255.0
R4(config-if)#tunnel source 24.1.1.2
R4(config-if)#tunnel destination 12.1.1.1
*Oct 23 15:55:40.667: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4321, changed state to up
R4(config-if)#ip nhrp network-id 3
R4(config-if)#ip nhrp nhs 192.168.1.1
R4(config-if)#ip nhrp map 192.168.1.1 12.1.1.1
R4(config-if)#exit
R1(config)#interface tunnel 4321
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 10.0.0.0 255.0.0.0 area 0
R1(config-router)#network 192.168.1.0 255.0.0.0 area 0
R1(config-router)#exit
R3(config)#router ospf 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 30.0.0.0 255.0.0.0 area 0
R3(config-router)#network 192.168.1.0 255.0.0.0 area 0
R3(config-router)#exit
R3(config)#interface tunnel 4321
R3(config-if)#ip ospf network point-to-mult
R3(config-if)#ip ospf network point-to-multipoint
R3(config-if)#exit
R4(config)#router ospf 1
R4(config-router)#router-id 4.4.4.4
R4(config-router)#network 40.0.0.0 255.0.0.0 area 0
R4(config-router)#network 192.168.1.0 255.0.0.0 area 0
R4(config-router)#exit
R4(config)#interface tunnel 4321
R4(config-if)#ip ospf network point-to-mul
R4(config-if)#ip ospf network point-to-multipoint
R4(config-if)#exit
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 mpls123 address 0.0.0.0
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encryption aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 5
R3(config-isakmp)#exit
R1(config)#crypto isakmp key 0 mpls123 address 0.0.0.0
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encryption aes
R4(config-isakmp)#hash sha
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 5
R4(config-isakmp)#exit
{You can configure more specific IP address of the peers but we are using address 0.0.0.0}
R1(config)#crypto isakmp key 0 mpls123 address 23.1.1.2
R1(config)#crypto isakmp key 0 mpls123 address 24.1.1.2
R3(config)#crypto isakmp key 0 mpls123 address 12.1.1.1
R3(config)#crypto isakmp key 0 mpls123 address 24.1.1.2
R4(config)#crypto isakmp key 0 mpls123 address 12.1.1.1
R4(config)#crypto isakmp key 0 mpls123 address 23.1.1.2
R1(config)#crypto isakmp key 0 mpls123 address 0.0.0.0
R1#
*Oct 23 16:08:14.239: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Tunnel4321 from LOADING to FULL, Loading Done
R1#
*Oct 23 16:08:23.587: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel4321 from LOADING to FULL, Loading Don
R1(config)#crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R3(config)#crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#exit
R4(config)#crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
R4(cfg-crypto-trans)#exit
R1(config)#crypto IPsec profile INTERNETWORKS
R1(ipsec-profile)#set transform-set MYSET
R1(ipsec-profile)#exit
R1(config)#interface tunnel 4321
R1(config-if)#tunnel protection IPsec profile INTERNETWORKS
R1(config-if)#EXIT
*Oct 23 16:12:45.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#crypto IPsec profile INTERNETWORKS
R3(ipsec-profile)#set transform-set MYSET
R3(ipsec-profile)#exit
R3(config)#interface tunnel 4321
R3(config-if)#tunnel protection IPsec profile INTERNETWORKS
R3(config-if)#EXIT
*Oct 23 16:12:45.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R4(config)#crypto IPsec profile INTERNETWORKS
R4(ipsec-profile)#set transform-set MYSET
R4(ipsec-profile)#exit
R4(config)#interface tunnel 4321
R4(config-if)#tunnel protection IPsec profile INTERNETWORKS
R4(config-if)#EXIT
*Oct 23 16:12:45.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#show crypto session
Crypto session current status
Interface: Tunnel4321
Session status: UP-ACTIVE
Peer: 24.1.1.2 port 500
IKEv1 SA: local 12.1.1.1/500 remote 24.1.1.2/500 Active
IPSEC FLOW: permit 47 host 12.1.1.1 host 24.1.1.2
Active SAs: 4, origin: crypto map
Interface: Tunnel4321
Session status: UP-ACTIVE
Peer: 23.1.1.2 port 500
IKEv1 SA: local 12.1.1.1/500 remote 23.1.1.2/500 Active
IPSEC FLOW: permit 47 host 12.1.1.1 host 23.1.1.2
Active SAs: 4, origin: crypto map
R3#show crypto session
Crypto session current status
Interface: Tunnel4321
Session status: UP-ACTIVE
Peer: 12.1.1.1 port 500
IKEv1 SA: local 23.1.1.2/500 remote 12.1.1.1/500 Active
IPSEC FLOW: permit 47 host 23.1.1.2 host 12.1.1.1
Active SAs: 4, origin: crypto map
R4#show crypto session
Crypto session current status
Interface: Tunnel4321
Session status: UP-ACTIVE
Peer: 12.1.1.1 port 500
IKEv1 SA: local 24.1.1.2/500 remote 12.1.1.1/500 Active
IPSEC FLOW: permit 47 host 24.1.1.2 host 12.1.1.1
Active SAs: 4, origin: crypto map
R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel4321, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 23.1.1.2 192.168.1.3 UP 01:34:52 D
1 24.1.1.2 192.168.1.4 UP 01:33:09 D
R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel4321, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 12.1.1.1 192.168.1.1 UP 00:46:35 S
R4#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel4321, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 12.1.1.1 192.168.1.1 UP 00:46:45 S
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set MYSET: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
R3#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set MYSET: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
R4#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set MYSET: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
R1#ping 192.168.1.3 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/65/88 ms
R1#ping 192.168.1.4 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/69/112 ms
R4#ping 192.168.1.1 source 40.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 40.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/67/92 ms
R4#ping 192.168.1.3 source 40.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 40.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/79/84 ms
R1#show crypto ipsec profile
IPSEC profile INTERNETWORKS
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
MYSET: { esp-3des esp-md5-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
R3#show crypto ipsec profile
IPSEC profile INTERNETWORKS
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
MYSET: { esp-3des esp-md5-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
R4#show crypto IPsec profile
IPSEC profile INTERNETWORKS
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
MYSET: { esp-3des esp-md5-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
No comments:
Post a Comment