DMVPN
DMVPN
Refer to "diagram 4 VPN technology"
configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following requirements
l Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish this task
l R17 must be the hub router
l R18 and R19 must be the spoke and must participate in NHRP information exchange
l Disable send icmp redirect message on all three tunnel interfaces
Configurethefollowingparametersonall the three tunnel interfaces
l Configure the bandwidth to 1000 kilobits per second
l Configure the delay to 10000 microseconds
l Adjust the IP MTU to 1400 bytes
l Adjust the TCP maximum segment size to 1360 bytes
l Authenticate NHRP using the string “45678key”(without quotes!).
l Use the NHRP network-id 45678
l Configure the NHRP hold time to 5 minutes.
l Ensure that spoke-to-spoke traffic does not transit via the hub.
R17
====
R17(config)#interface Tunnel0
R17(config-if)# ip address 10.18.19.1 255.255.255.0
R17(config-if)# ip pim sparse-mode
R17(config-if)# tunnel source 203.3.17.2
R17(config-if)# tunnel mode gre multipoint R17(config-if)#bandwidth 1000
R17(config-if)#delay 1000
R17(config-if)#ip mtu 1400
R17(config-if)#ip tcp adjust-mss 1360
R17(config-if)#ip nhrp network-id 45678
R17(config-if)#ip nhrp authentication 45678key R17(config-if)#ip nhrp holdtime 300
R17(config-if)#ip nhrp map multicast dynamic
R17(config-if)#ip nhrp redirect
R17(config-if)#tunnel key 45678
R18
====
R18(config)#interface tunnel 0
R18(config-if)# ip address 10.18.19.18 255.255.255.0
R18(config-if)# ip pim sparse-mode
R18(config-if)# tunnel source Serial4/0
R18(config-if)# tunnel mode gre multipoint
R18(config-if)#bandwidth 1000
R18(config-if)#delay 1000
R18(config-if)#ip tcp adjust-mss 1360
R18(config-if)#ip mtu 1400
R18(config-if)#ip nhrp shortcut
R18(config-if)#ip nhrp map 10.18.19.1 203.3.17.2
R18(config-if)#ip nhrp map multicast 203.3.17.2
R18(config-if)#ip nhrp network-id 45678
R18(config-if)#ip nhrp authentication 45678key
R18(config-if)#ip nhrp nhs 10.18.19.1
R18(config-if)#tunnel key 45678
R18(config-if)#ip nhrp holdtime 300
R19(config)#interface Tunnel0
R19(config-if)# ip address 10.18.19.19 255.255.255.0
R19(config-if)# bandwidth 1000
R19(config-if)# ip mtu 1400
R19(config-if)# ip pim sparse-mode
R19(config-if)# ip nhrp authentication 45678key
R19(config-if)# ip nhrp map 10.18.19.1 203.3.17.2
R19(config-if)# ip nhrp map multicast 203.3.17.2
R19(config-if)# ip nhrp network-id 45678
R19(config-if)# ip nhrp holdtime 300
R19(config-if)# ip nhrp nhs 10.18.19.1
R19(config-if)# ip nhrp shortcut
R19(config-if)# ip tcp adjust-mss 1360
R19(config-if)# delay 1000
R19(config-if)# tunnel source Serial4/0
R19(config-if)# tunnel mode gre multipoint
R19(config-if)# tunnel key 45678
R17(config)#router eigrp CCIE
R17(config-router)#address-family ipv4 unicast autonomous-system 45678
R17(config-router-af)#af-interface tunnel0
R17(config-router-af-interface)#no split-horizon
DMVPN Encryption
Refer to "Diagram 4 VPN technology"
Secure the DMVPN tunnel using IPSEC according to the following requirements
Configure IKE phase 1 as per the following
l Use AES encryption with the pre-shared key "CCIE" (without quotes).
l The key must appear in plain text in the config
l All IPSEC tunnels must be authenticated using the same IKE phase 1 pre-shared key
l Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
l Configure a single policy using priority 10
l Ensure that the ISAKMP key lookup is done in the VRF LOCALSP. Use a crypto keyring to accomplish this requirement.
ConfigureIKEphase2 as per the following requirements
l Use CCIEXFORM as transform set name
l Use DMVPNPROFILE as IPSEC profile name
l Use IPSEC in transport mode
l Use the IPSEC protocol ESP and algorithm AES with 128 bits
l Ensure that the DMVPN cloud is secured using above parameters.
l Use tunnel protection in your config
R17(config)#crypto isakmp policy 10
R17(config-isakmp)#authentication pre-share
R17(config-isakmp)#encryption aes
R17(config-isakmp)#group 2
R17(config)#crypto keyring CCIE vrf LOCALSP
R17(conf-keyring)#pre-shared-key address 0.0.0.0 key CCIE
R17(config)#crypto ipsec transform-set CCIEXFORM esp-aes 128
R17(cfg-crypto-trans)#mode transport
R17(config)#crypto ipsec profile DMVPNPROFILE
R17(ipsec-profile)#set transform-set CCIEXFORM
R17(config)#interface tunnel 0
R17(config-if)#tunnel vrf LOCALSP
R17(config-if)#tunnel protection ipsec profile DMVPNPROFILE
R18(config)#crypto isakmp policy 10
R18(config-isakmp)# encr aes
R18(config-isakmp)# authentication pre-share
R18(config-isakmp)# group 2
R18(config)#crypto keyring CCIE vrf LOCALSP
R18(conf-keyring)#pre-shared-key address 0.0.0.0 key CCIE
R18(config)#crypto ipsec transform-set CCIEXFORM esp-aes 128
R18(cfg-crypto-trans)# mode transport
R18(cfg-crypto-trans)#crypto ipsec profile DMVPNPROFILE
R18(ipsec-profile)# set transform-set CCIEXFORM
R18(ipsec-profile)#interface tun 0
R18(config-if)#tunnel vrf LOCALSP
R18(config-if)#tunnel protection ipsec profile DMVPNPROFILE
R19(config)#crypto isakmp policy 10
R19(config-isakmp)# encr aes
R19(config-isakmp)# authentication pre-share
R19(config-isakmp)# group 2
R19(config)#crypto keyring CCIE vrf LOCALSP
R19(conf-keyring)#pre-shared-key address 0.0.0.0 key CCIE
R19(config)#crypto ipsec transform-set CCIEXFORM esp-aes 128
R19(cfg-crypto-trans)# mode transport
R19(cfg-crypto-trans)#crypto ipsec profile DMVPNPROFILE
R19(ipsec-profile)# set transform-set CCIEXFORM
R19(ipsec-profile)#interface tun 0
R19(config-if)#tunnel vrf LOCALSP
R19(config-if)#tunnel protection ipsec profile DMVPNPROFILE
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。